Synology DiskStation Manager (DSM) contains a flaw in the SliceUpload functionality provided by /webman/imageSelector.cgi. With a specially crafted request, a remote attacker can append data to files, allowing for the execution of arbitrary commands.
