webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 prior to 4.0-2259, 4.2 prior to 4.2-3243, and 4.3 prior to 4.3-3810 Update 1 allows remote malicious users to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
synology diskstation manager 4.3 |
||
synology diskstation manager 4.2 |
||
synology diskstation manager 4.0 |
||
synology diskstation manager 4.3-3810 |