CVE-2015-9102

MEDIUM

Synology Photo Station < 6.3-2960 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos.

References (5)

[Third Party Advisory] http://www.fortiguard.com/zeroday/FG-VD-15-103

[Third Party Advisory] http://www.fortiguard.com/zeroday/FG-VD-15-104

[Third Party Advisory] http://www.fortiguard.com/zeroday/FG-VD-15-109

[Third Party Advisory] http://www.fortiguard.com/zeroday/FG-VD-15-112

[Vendor Advisory] https://www.synology.com/en-global/support/security/Photo_Station_6_3_2962

Scores

CVSS v3 5.4

EPSS 0.0033

EPSS Percentile 55.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (3)

synology/photo_station < 6.3-2960

Synology/Photo Station < 6.0

Synology/Photo Station < 6.3

Published Jun 30, 2017

Tracked Since Feb 18, 2026