← back
CVE-2013-6987

CVE-2013-6987

EPSS 14.9%
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/.
Affected products
n/a · n/a
public PoCs found4
githubgithub.com/stoicboomer/CVE-2013-69870cve_referencepacketstormsecurity.com/files/124563unverifiedcve_referencewww.exploit-db.com/exploits/30475unverifiedexploitdbwww.exploit-db.com/exploits/30475unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/124563http://seclists.org/fulldisclosure/2013/Dec/177https://exchange.xforce.ibmcloud.com/vulnerabilities/89892http://www.exploit-db.com/exploits/30475http://www.securityfocus.com/bid/64483http://www.synology.com/en-us/releaseNote/model/DS114