Synology-SA-20:25 Safe Access
Publish Time: 2020-11-24 11:52:27 UTC+8
Last Updated: 2020-12-28 09:09:32 UTC+8
- Severity
- Critical
- Status
- Resolved
Abstract
Multiple vulnerabilities allow remote attackers to execute arbitrary code via a susceptible version of Safe Access.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| Safe Access | Critical | Upgrade to 1.2.3-0234 or above. |
Mitigation
None
Detail
CVE-2020-27659
- Severity: Important
- CVSS3 Base Score: 8.4
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
- Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.
CVE-2020-27660
- Severity: Critical
- CVSS3 Base Score: 9.6
- CVSS3 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
Acknowledgement
Thomas Fady
Claudio Bozzato of Cisco Talos
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2020-11-24 | Initial public release. |
| 2 | 2020-11-30 | Disclosed vulnerability details. |
| 3 | 2020-12-25 | Update the Acknowledgement |