CVE-2017-11156
HIGHSynology Download Station - Incorrect Permission Assignment
Title source: ruleDescription
Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 uses weak permissions (0777) for ui/dlm/btsearch directory, which allows remote authenticated users to execute arbitrary code by uploading an executable via unspecified vectors.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.synology.com/en-global/support/security/Synology_SA_17_28_Download_Station
Scores
CVSS v3
7.8
EPSS
0.0080
EPSS Percentile
74.2%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-276
CWE-732
Status
published
Products (34)
synology/download_station
3.2-2295
synology/download_station
3.3-2382
synology/download_station
3.3-2383
synology/download_station
3.3-2386
synology/download_station
3.4-2477
synology/download_station
3.4-2478
synology/download_station
3.4-2480
synology/download_station
3.4-2485
synology/download_station
3.4-2486
synology/download_station
3.4-2489
... and 24 more
Published
Aug 14, 2017
Tracked Since
Feb 18, 2026