Vulnerabilites related to Synology - BeePhotos
CVE-2024-10443 (GCVE-0-2024-10443)
Vulnerability from cvelistv5
Published
2024-11-15 10:23
Modified
2025-09-16 06:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.synology.com/en-global/security/advisory/Synology_SA_24_18 | vendor-advisory | |
| https://www.synology.com/en-global/security/advisory/Synology_SA_24_19 | vendor-advisory |
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Synology | BeePhotos |
Version: * ≤ Version: * ≤ |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:synology:photo_station:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "photo_station",
"vendor": "synology",
"versions": [
{
"lessThan": "1.6.2-0720",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10443",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-15T17:35:15.333270Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-15T17:42:41.931Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "BeePhotos",
"vendor": "Synology",
"versions": [
{
"lessThan": "1.1.0-10053",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "1.0.2-10026",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Synology Photos",
"vendor": "Synology",
"versions": [
{
"lessThan": "1.7.0-0795",
"status": "affected",
"version": "*",
"versionType": "semver"
},
{
"lessThan": "1.6.2-0720",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PHP Hooligans / Midnight Blue working with Trend Micro Zero Day Initiative"
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T06:02:16.158Z",
"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"shortName": "synology"
},
"references": [
{
"name": "Synology-SA-24:18 BeePhotos (PWN2OWN 2024)",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_18"
},
{
"name": "Synology-SA-24:19 Synology Photos (PWN2OWN 2024)",
"tags": [
"vendor-advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_19"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01",
"assignerShortName": "synology",
"cveId": "CVE-2024-10443",
"datePublished": "2024-11-15T10:23:51.233Z",
"dateReserved": "2024-10-28T02:34:40.599Z",
"dateUpdated": "2025-09-16T06:02:16.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2024-11-15 11:15
Modified
2025-09-16 06:16
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| synology | photos | * | |
| synology | diskstation_manager | 7.2 | |
| synology | beephotos | * | |
| synology | beestation_os | 1.1 | |
| synology | beephotos | * | |
| synology | beestation_os | 1.0 | |
| synology | photos | * | |
| synology | diskstation_manager | 7.2.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photos:*:*:*:*:*:diskstation_manager:*:*",
"matchCriteriaId": "419F75B4-D207-4288-8497-4B3A8C583E46",
"versionEndExcluding": "1.6.2-0720",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5C262042-304B-49DC-BB4B-655C5C36D88C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:beephotos:*:*:*:*:*:beestation_os:*:*",
"matchCriteriaId": "47E33443-30C1-42A0-8876-405FD9AC155A",
"versionEndExcluding": "1.1.0-10053",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:beestation_os:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E456DD53-9402-48F7-98F8-8CEE480D8337",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:beephotos:*:*:*:*:*:beestation_os:*:*",
"matchCriteriaId": "A8BA8374-E7BE-406B-82E8-5EDBED2551EF",
"versionEndExcluding": "1.0.2-10026",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:beestation_os:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DCDD1FA9-719E-4C69-9D72-29B154E27849",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:synology:photos:*:*:*:*:*:diskstation_manager:*:*",
"matchCriteriaId": "71B932C6-C930-4C9A-9C75-CFEAFB41BD24",
"versionEndExcluding": "1.7.0-0795",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:synology:diskstation_manager:7.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E22F435-F709-495B-84B4-A478C63331B9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors."
},
{
"lang": "es",
"value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de elementos especiales utilizados en un comando (\u0027Inyecci\u00f3n de comando\u0027) en Task Manager component in Synology BeePhotos anteriores a 1.0.2-10026 y 1.1.0-10053 y Synology Photos anteriores a 1.6.2-0720 y 1.7.0-0795 permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2024-10443",
"lastModified": "2025-09-16T06:16:04.327",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@synology.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-15T11:15:09.750",
"references": [
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_18"
},
{
"source": "security@synology.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_19"
}
],
"sourceIdentifier": "security@synology.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security@synology.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}