Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors.
The vulnerability results from improper neutralization of special characters in operating system commands (CWE-78, CWE-77) in the Task Manager component. An attacker can transmit crafted input over the network without any authentication and without user interaction, which will be passed directly to the system shell. As a result, arbitrary commands can be executed at the operating system level on the device.
An attacker can gain full control of the device, obtaining confidentiality, integrity, and availability of the system — including the ability to read and modify data, install malicious software, and disrupt services.
Synology BeePhotos must be immediately updated to version 1.0.2-10026 or 1.1.0-10053 (and newer) and Synology Photos to version 1.6.2-0720 or 1.7.0-0795 (and newer). Detailed information is available in the vendor's security bulletins: Synology_SA_24_18 and Synology_SA_24_19.
Synology BeePhotos in versions before 1.0.2-10026 and before 1.1.0-10053; Synology Photos in versions before 1.6.2-0720 and before 1.7.0-0795.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSynology Beephotos
APPSynology< 1.1.0-10053< 1.0.2-10026Synology Beestation Os
OSSynology1.01.1Synology Diskstation Manager
OSSynology7.27.2.2Synology Photos
APPSynology< 1.7.0-0795< 1.6.2-0720
Related vulnerabilities
Classic Buffer Overflow w Synology BeeStation OS — zdalne wykonanie kodu
CSRF umożliwiający RCE w Synology DiskStation Manager i Unified Controller
RCE w Synology BeeStation OS i DSM — błąd kodowania wyjścia w systemowym daemonie
RCE przez błąd off-by-one w komponencie transmisji Synology Replication Service
Brak autoryzacji w Synology Surveillance Station — zapis konfiguracji i restart NAS