A vulnerability, which was classified as critical, has been found in Synology Moments up to 1.3.0. Affected by this issue is some unknown functionality of the file SYNO.PhotoTeam.Upload.Item of the component File Upload. The manipulation of the argument name as part of a Parameter leads to a path traversal vulnerability. Using CWE to declare the problem leads to CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Relative path traversal vulnerability in SYNO.PhotoTeam.Upload.Item in Synology Moments before 1.3.0-0691 allows remote authenticated users to upload arbitrary files via the name parameter.

The weakness was published 06/30/2019 (Website). The advisory is available at synology.com. This vulnerability is handled as CVE-2019-11826 since 05/08/2019. The attack may be launched remotely. A simple authentication is required for exploitation. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1006 by the MITRE ATT&CK project.

Upgrading to version 1.3.0-0691 eliminates this vulnerability.

Productinfo

Vendor

• Synology

Name

• Moments

Version

• 1.0
• 1.1
• 1.2
• 1.3

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion