Synology DiskStation Manager < 4.3-3810 Update 3 Multiple FileBrowser Component Directory Traversal Vulnerabilities
High Nessus Plugin ID 72346
SynopsisThe remote Synology DiskStation Manager is affected by multiple directory traversal vulnerabilities.
DescriptionAccording to its version number, the Synology DiskStation Manager installed on the remote host is 4.3-x equal or prior to 4.3-3810. It is, therefore, affected by multiple directory traversal vulnerabilities in the FileBrowser component. The issue exists due to improper validation of values submitted to the various file parameters in the following scripts in the '/webapi/FileStation' directory :
Any authenticated user can exploit these affected files to read, write, and delete arbitrary files.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to 4.3-3810 Update 3 or later, or contact the vendor.