CVE-2017-9552

HIGH

Synology Photo Station <6.7.1-3419 - Info Disclosure

Title source: llm

Description

A design flaw in authentication in Synology Photo Station 6.0-2528 through 6.7.1-3419 allows local users to obtain credentials via cmdline. Synology Photo Station employs the synophoto_dsm_user program to authenticate username and password by "synophoto_dsm_user --auth USERNAME PASSWORD", and local users are able to obtain credentials by sniffing "/proc/*/cmdline".

References (2)

Scores

CVSS v3 7.8
EPSS 0.0004
EPSS Percentile 13.2%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-522 CWE-287
Status draft

Affected Products (24)

synology/photo_station
synology/photo_station
synology/photo_station
synology/photo_station
synology/photo_station
synology/photo_station
synology/photo_station
synology/photo_station
synology/photo_station
synology/photo_station
synology/photo_station
synology/photo_station
synology/photo_station
synology/photo_station
synology/photo_station
... and 9 more

Timeline

Published Jun 13, 2017
Tracked Since Feb 18, 2026