CVE-2018-8914

HIGH

Synology Media Server < 1.4-2654 - SQL Injection

Title source: rule

Description

SQL injection vulnerability in UPnP DMA in Synology Media Server before 1.7.6-2842 and before 1.4-2654 allows remote attackers to execute arbitrary SQL commands via the ObjectID parameter.

References (1)

[Vendor Advisory] https://www.synology.com/en-global/support/security/Synology_SA_18_04

Scores

CVSS v3 7.3

EPSS 0.0032

EPSS Percentile 55.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Classification

CWE

CWE-89

Status published

Affected Products (1)

synology/media_server < 1.4-2654

Timeline

Published May 10, 2018

Tracked Since Feb 18, 2026