Synology-SA-18:30 SSL VPN Client
Publish Time: 2018-06-01 15:08:53 UTC+8
Last Updated: 2019-03-31 23:56:49 UTC+8
- Severity
- Important
- Status
- Resolved
Abstract
A vulnerability allows remote attackers to conduct man-in-the-middle attacks via a susceptible version of SSL VPN Client.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| SSL VPN Client | Important | Upgrade to 1.2.5-0226 or above. |
Mitigation
None
Detail
- CVE-2018-13283
- Severity: Important
- CVSS3 Base Score: 8.8
- CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Lack of administrator control over security vulnerability in client.cgi in Synology SSL VPN Client before 1.2.5-0226 allows remote attackers to conduct man-in-the-middle attacks via the (1) command, (2) hostname, or (3) port parameter.
Acknowledgement
丁諭祺(Yu-Chi Ding) from DEVCORE CHROOT
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2018-06-01 | Initial public release. |
| 2 | 2019-03-31 | Disclosed vulnerability details. |