Synology-SA-17:77 Surveillance Station
Publish Time: 2017-12-12 14:13:00 UTC+8
Last Updated: 2018-02-26 11:04:05 UTC+8
- Severity
- Moderate
- Status
- Resolved
Abstract
Multiple vulnerabilities in Surveillance Station allow remote authenticated users to obtain other user's sensitive files or inject arbitrary web scripts and HTML code.
Updates for Affected Products
| Product | Severity | Latest Patch |
|---|---|---|
| Surveillance Station 8.1 | Moderate | Upgrade to 8.1.2-5469 or above. |
Mitigation
None
Detail
CVE-2017-16767
- Severity: Moderate
- CVSS3 Base Score: 6.5
- CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
- Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter.
CVE-2017-16770
- Severity: Moderate
- CVSS3 Base Score: 4.3
- CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain other user's sensitive files via the filename parameter.
Revision History
| Revision | Date | Description |
|---|---|---|
| 1 | 2017-12-12 | Initial public release. |
| 2 | 2018-02-26 | Disclosed vulnerability details. |