PT-2019-12508 · Synology · Synology Photo Station
Menghuan Yu
·
Published
2019-06-30
·
Updated
2023-01-30
·
CVE-2019-11821
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Synology Photo Station versions prior to 6.8.11-3489
Synology Photo Station versions prior to 6.3-2977
Description
The issue allows remote attackers to execute arbitrary SQL commands via the
type parameter in the synophoto csPhotoDB.php file. This enables attackers to manipulate the database, potentially leading to unauthorized data access or modification.Recommendations
For versions prior to 6.8.11-3489, update to version 6.8.11-3489 or later.
For versions prior to 6.3-2977, update to version 6.3-2977 or later.
As a temporary workaround, consider restricting access to the synophoto csPhotoDB.php file to minimize the risk of exploitation.
Avoid using the
type parameter in the affected API endpoint until the issue is resolved.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Synology Photo Station