Synology-SA-18:26 DSM
Publish Time: 2018-05-31 10:52:07 UTC+8
Last Updated: 2019-03-31 23:10:04 UTC+8
- Severity
- Moderate
- Status
- Resolved
Abstract
A vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Synology DiskStation Manager (DSM).
Affected Products
Product | Severity | Fixed Release Availability |
---|---|---|
DSM 6.2 | Not affected | None |
DSM 6.1 | Moderate | Upgrade to 6.1.4-15217-3 or above. |
DSM 6.0 | Moderate | Upgrade to 6.1.4-15217-3 or above. |
DSM 5.2 | Moderate | Upgrade to 6.1.4-15217-3 or above. |
Mitigation
None
Detail
- CVE-2017-16774
- Severity: Moderate
- CVSS3 Base Score: 6.5
- CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
- Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter.
Revision
Revision | Date | Description |
---|---|---|
1 | 2018-05-31 | Initial public release. |
2 | 2019-03-31 | Disclosed vulnerability details. |