Details of VAR-201708-1064

ID

VAR-201708-1064

CVE

CVE-2017-11159

TITLE

Windows Run on Synology Photo Station Uploader Vulnerabilities related to untrusted search paths

Trust: 0.8

sources: JVNDB: JVNDB-2017-007309

DESCRIPTION

Multiple untrusted search path vulnerabilities in installer in Synology Photo Station Uploader before 1.4.2-084 on Windows allows local attackers to execute arbitrary code and conduct DLL hijacking attack via a Trojan horse (1) shfolder.dll, (2) ntmarta.dll, (3) secur32.dll or (4) dwmapi.dll file in the current working directory. Windows Run on Synology Photo Station Uploader Contains an unreliable search path vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Synology Photo Station Uploader for Windows is a set of solutions from Synology for sharing pictures, videos and blogs on the Internet

Trust: 1.71

sources: NVD: CVE-2017-11159 // JVNDB: JVNDB-2017-007309 // VULHUB: VHN-101553

AFFECTED PRODUCTS

vendor:	synology	model:	photo station uploader	scope:	lte	version:	1.4.1-083	Trust: 1.0
vendor:	synology	model:	photo station uploader	scope:	lt	version:	1.4.2-084	Trust: 0.8
vendor:	synology	model:	photo station uploader	scope:	eq	version:	1.4.1-083	Trust: 0.6

sources: JVNDB: JVNDB-2017-007309 // CNNVD: CNNVD-201707-374 // NVD: CVE-2017-11159

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-11159
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-11159
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201707-374
value:	HIGH
Trust: 0.6
VULHUB:	VHN-101553
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-11159
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-101553
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-11159
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-101553 // JVNDB: JVNDB-2017-007309 // CNNVD: CNNVD-201707-374 // NVD: CVE-2017-11159

PROBLEMTYPE DATA

problemtype:	CWE-426	Trust: 1.9
problemtype:	CWE-427	Trust: 1.0

sources: VULHUB: VHN-101553 // JVNDB: JVNDB-2017-007309 // NVD: CVE-2017-11159

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201707-374

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201707-374

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-007309

PATCH

title:	Synology-SA-17:45 Photo Station Uploader	url:	https://www.synology.com/en-global/support/security/Synology_SA_17_45_Photo_Station_Uploader	Trust: 0.8
title:	Synology Photo Station Uploader for Windows Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=99906	Trust: 0.6

sources: JVNDB: JVNDB-2017-007309 // CNNVD: CNNVD-201707-374

EXTERNAL IDS

db:	NVD	id:	CVE-2017-11159	Trust: 2.5
db:	JVNDB	id:	JVNDB-2017-007309	Trust: 0.8
db:	CNNVD	id:	CNNVD-201707-374	Trust: 0.7
db:	VULHUB	id:	VHN-101553	Trust: 0.1

sources: VULHUB: VHN-101553 // JVNDB: JVNDB-2017-007309 // CNNVD: CNNVD-201707-374 // NVD: CVE-2017-11159

REFERENCES

url:	https://www.synology.com/en-global/support/security/synology_sa_17_45_photo_station_uploader	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11159	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-11159	Trust: 0.8

sources: VULHUB: VHN-101553 // JVNDB: JVNDB-2017-007309 // CNNVD: CNNVD-201707-374 // NVD: CVE-2017-11159

SOURCES

db:	VULHUB	id:	VHN-101553
db:	JVNDB	id:	JVNDB-2017-007309
db:	CNNVD	id:	CNNVD-201707-374
db:	NVD	id:	CVE-2017-11159

LAST UPDATE DATE

2025-04-20T23:36:48.020000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-101553	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2017-007309	date:	2017-09-19T00:00:00
db:	CNNVD	id:	CNNVD-201707-374	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-11159	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-101553	date:	2017-08-23T00:00:00
db:	JVNDB	id:	JVNDB-2017-007309	date:	2017-09-19T00:00:00
db:	CNNVD	id:	CNNVD-201707-374	date:	2017-07-11T00:00:00
db:	NVD	id:	CVE-2017-11159	date:	2017-08-23T15:29:00.253