Multiple vulnerabilities were found in the Synology Drive, which is a file management solution to unify multiple file portals on Synology Network Attached Storage (NAS) by synchronizing files across various desktop and mobile platforms. Remote authenticated attackers could exploit some of the vulnerabilities by using a specially crafted file name.
A successful attack could lead to cross-site scripting or information disclosure on a vulnerable system.
Synology has released software updates (1.0.2-10275 or above) to address the issues. Users are advised to check if their Network Attached Storage (NAS) systems from Synology are affected by going to the “Package Center” to show the installed version of Drive being used.
The corresponding updates for the Synology Drive can be obtained by going to the “Package Center”.
https://www.synology.com/zh-tw/support/security/Synology_SA_18_11
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2018-8921
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2018-8922