CVE-2017-11154

HIGH

Synology Photo Station < 6.7.2-3429 - Unrestricted File Upload

Title source: rule

Description

Unrestricted file upload vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers to create arbitrary PHP scripts via the type parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Kacper Szurek · pythonwebappshardware

https://www.exploit-db.com/exploits/42434

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://www.synology.com/en-global/support/security/Synology_SA_17_34_PhotoStation

[Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/42434/

Scores

CVSS v3 7.2

EPSS 0.0686

EPSS Percentile 91.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (3)

synology/photo_station 6.3-2967

synology/photo_station < 6.7.2-3429

Synology/Synology Photo Station before 6.7.3-3432 and 6.3-2967

Published Aug 08, 2017

Tracked Since Feb 18, 2026