Synology-SA-21:04 Video Station

Publish Time: 2021-02-23 09:17:09 UTC+8

Last Updated: 2021-06-10 16:25:07 UTC+8

Abstract

A vulnerability allows remote authenticated users to access intranet resources via a susceptible version of Video Station.

Affected Products

Product	Severity	Fixed Release Availability
Video Station	Moderate	Upgrade to 2.4.10-1632 or above.

Mitigation

None

Detail

CVE-2021-33181
- Severity: Moderate
- CVSS3 Base Score: 6.6
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
- Server-Side Request Forgery (SSRF) vulnerability in webapi component in Synology Video Station before 2.4.10-1632 allows remote authenticated users to send arbitrary request to intranet resources via unspecified vectors.

Acknowledgement

Bing-Jhong Jheng

Reference

CVE-2021-33181

Revision

Revision	Date	Description
1	2021-02-23	Initial public release.
2	2021-06-10	Disclose vulnerability details.