CVE-2015-9102
MEDIUMSynology Photo Station <6.0-2638 & 6.3<6.3-2962 Authenticated XSS via Album/File/Description/Tag
Title source: llmDescription
Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station 6.0 before 6.0-2638 and 6.3 before 6.3-2962 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) album name, (2) file name of uploaded photos, (3) description of photos, or (4) tag of the photos.
References (5)
Core 5
Core References
Third Party Advisory x_refsource_misc
http://www.fortiguard.com/zeroday/FG-VD-15-104
Third Party Advisory x_refsource_misc
http://www.fortiguard.com/zeroday/FG-VD-15-109
Third Party Advisory x_refsource_misc
http://www.fortiguard.com/zeroday/FG-VD-15-112
Vendor Advisory x_refsource_confirm
https://www.synology.com/en-global/support/security/Photo_Station_6_3_2962
Third Party Advisory x_refsource_misc
http://www.fortiguard.com/zeroday/FG-VD-15-103
Scores
CVSS v3
5.4
EPSS
0.0033
EPSS Percentile
55.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
Synology/Photo Station
6.0
Synology/Photo Station
6.3
synology/photo_station
< 6.3-2960
Published
Jun 30, 2017
Tracked Since
Feb 18, 2026