Arbitrary file upload in Synology Photo Station

CVE-2017-16772

Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUpload in Synology Photo Station before 6.8.3-3463 and before 6.3-2971 allows remote authenticated users to execute arbitrary codes via the prog_id parameter.

Vulnerability class: Unrestricted File Upload

EPSS: 0.013 (80.1th percentile) — read the EPSS interpretation.

Affected products

Synology Photo Station — versions before 6.3-2971, before 6.8.3-3463

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

References

www.synology.com/en-global/support/security/Synology_SA_18_02 (x_refsource_CONFIRM)