Abstract
Multiple vulnerabilities allow remote authenticated users or remote authenticated users with administrator privileges to inject arbitrary web script or HTML via a susceptible version of Synology Router Manager (SRM).
Affected Products
Product |
Severity |
Fixed Release Availability |
SRM 1.3 |
Moderate |
Upgrade to 1.3.1-9346-10 or above. |
Mitigation
None
Detail
CVE-2024-53279
- Severity: Moderate
- CVSS3 Base Score: 5.9
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
- Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in file station functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.
CVE-2024-53280
- Severity: Moderate
- CVSS3 Base Score: 5.9
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
- Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in network center policy route functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.
CVE-2024-53281
- Severity: Moderate
- CVSS3 Base Score: 5.9
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
- Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Network WOL functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2024-53282
- Severity: Moderate
- CVSS3 Base Score: 5.9
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
- Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in WiFi Connect MAC Filter functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.
CVE-2024-53283
- Severity: Moderate
- CVSS3 Base Score: 5.9
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
- Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Router Port Forward functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.
CVE-2024-53284
- Severity: Moderate
- CVSS3 Base Score: 5.9
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
- Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in WiFi Connect Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.
CVE-2024-53285
- Severity: Moderate
- CVSS3 Base Score: 5.9
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
- Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.
Acknowledgement
Only Hack in Cave (tr4ce(Jinho Ju), neko_hat(Dohwan Kim), tw0n3(Han Lee), Hc0wl(GangMin Kim)) (https://github.com/Team-OHiC)
Reference
Revision
Revision |
Date |
Description |
1 |
2024-09-09 |
Initial public release. |
2 |
2024-12-09 |
Disclosed vulnerability details. |