yes, here is the clarification from the source <broken link>:
- the session fixation was about DS Photostation isue from June 2018 (fixed)
- and second one about File sharing, also from summer 2018, also fixed
Then the official document (SOHO vulnerabilities) is missing such details, that will clearly define:
- when was each single test passed (in case of Synology, before june 2018)
- when was the vulnerabilities disclosed to vendor (june 2018)
- when was assigned by vendor (november 2018)
- when was fixed by vendor.
Date of issuing the SOHO vulnerabilities doc is Sept 16th 2019. Then, there are unclear statements, which would look like current or still in live problems.
Follow my research:
- this vulnerability of Photo Station -
link - was fixed by Synology from Photo Station ver 6.8.7-3481 in 2018, Synology
link
- the second vulnerability was fixed by DSM from ver. 6.2.-23739-2 (summer 2018).
Summary:
I really don’t understand way in security report from September 2019 is unclear statement about such vulnerabilities, that was fixed more than 12 mont ago.
Here you can find
CVE list for Synology, what is more useful.