CVE-2016-10330

HIGH

Synology Photo Station < 6.5.3-3226 - Local Arbitrary File Write via synophoto_dsm_user Path Traversal

Title source: llm

Description

Directory traversal vulnerability in synophoto_dsm_user, a SUID program, as used in Synology Photo Station before 6.5.3-3226 allows local users to write to arbitrary files via unspecified vectors.

References (4)

Core 4

Core References

Exploit, Third Party Advisory x_refsource_misc

https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-04-Privilege-Escalation

Exploit, Third Party Advisory x_refsource_misc

https://bamboofox.github.io/2017/03/20/Synology-Bug-Bounty-2016/#Vul-03-Read-Write-Arbitrary-Files

Release Notes x_refsource_confirm

https://www.synology.com/en-global/support/security/Photo_Station_6_5_3_3226

Exploit, Third Party Advisory, VDB Entry mailing-list x_refsource_mlist

http://seclists.org/oss-sec/2016/q1/236

Scores

CVSS v3 7.1

EPSS 0.0005

EPSS Percentile 16.9%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-22

Status published

Products (2)

synology/photo_station < 6.5.2-3225

Synology/Synology Photo Station All versions prior to version 6.5.3-3226

Published May 12, 2017

Tracked Since Feb 18, 2026