Security Experts:

Connect with us

Hi, what are you looking for?


M&A Tracker

Synology Fixes XSS, Command Injection Vulnerabilities in NAS Software

Taiwan-based network attached storage (NAS) company Synology has released software updates to address several vulnerabilities reported by Dutch security company Securify.

Taiwan-based network attached storage (NAS) company Synology has released software updates to address several vulnerabilities reported by Dutch security company Securify.

One of the flaws uncovered by researchers is a reflected cross-site scripting (XSS) bug in Synology DiskStation Manager (DSM), the operating system that runs on the company’s DiskStation and RackStation appliances.Synology NAS

“This issue allows attackers to perform a wide variety of actions, such as stealing victims’ session tokens or login credentials if available, performing arbitrary actions on their behalf but also performing arbitrary redirects to potential malicious websites,” Securify wrote in its advisory.

In order to exploit the vulnerability, a malicious actor needs to trick the victim into clicking on a specially crafted link. This allows the attacker to execute arbitrary code in the user’s web browser.

The vulnerability has been successfully reproduced on Synology DiskStation Manager version 5.2-5565, released on May 12, and it has been addressed with the release of version 5.2-5565 Update 1 on May 21. The latest release of Synology DiskStation Manager also updates PHP to version 5.5.25 in order to fix several vulnerabilities.

Securify researchers have also identified vulnerabilities in Synology Photo Station, an online photo album that allows DSM users to manage and share photos and videos.

One of the issues is a command injection vulnerability that can be exploited to execute arbitrary commands with the privileges of the web server. The bug allows an attacker to compromise the NAS appliance and the data stored on it.

The flaw is caused by improper user input sanitization and the lack of protection against cross-site request forgery (CSRF) attacks.

Han Sahin, co-founder of Securify, has classified this vulnerability’s severity as “medium” due to the fact that remote exploitation requires social engineering. However, the expert has pointed out that such weaknesses in NAS appliances and routers are often targeted by malicious actors in so-called pharming attacks that leverage CSRF vulnerabilities.

The vulnerability has been tested on Synology Photo Station version 6.2-2858 and it was patched on May 21 with the release of version 6.3-2945.

Version 6.3-2945 of Synology Photo Station also resolves multiple reflected XSS vulnerabilities reported by Securify. The security firm has rated these issues as being of high severity.

Sahin has commended Synology for the way it has handled the vulnerability reports. The expert told SecurityWeek that the flaws were addressed in just five days after being reported, possibly thanks to the fact that Securify provided Synology’s security team the exact location of the bugs in the code.

Related: EMC Patches Flaws in M&R, Secure Remote Services

Related: Pinterest, Yammer iOS Apps Vulnerable to MitM Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.