Synology-SA-17:74 DSM

Publish Time: 2017-11-24 18:01:27 UTC+8

Last Updated: 2017-12-22 14:16:46 UTC+8

Severity: Moderate

Status: Resolved

Abstract

CVE-2017-16766 allows local users to inject arbitrary web script and HTML via susceptible versions of Synology DiskStation Manager (DSM).

Severity

Impact: Moderate
CVSS3 Base Score: 5.0
CVSS3 Base Metrics: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected

Products
- DSM 6.1
- DSM 6.0
Models
- All Synology models

Description

An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option.

Mitigation

None

Update Availability

To fix the security issue, please update DSM 6.1 to 6.1.4-15217 or above or DSM 6.0 to 6.0.3-8754-6 or above.