Directory traversal vulnerability in synphotoio in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to read arbitrary files via unspecified vectors.
https://www.synology.com/en-global/support/security/Synology_SA_17_35_PhotoStation