Synology-SA-17:77 Surveillance Station

Publish Time: 2017-12-12 14:13:00 UTC+8

Last Updated: 2018-02-26 11:04:05 UTC+8

Severity
Moderate
Status
Resolved

Abstract

Multiple vulnerabilities in Surveillance Station allow remote authenticated users to obtain other user's sensitive files or inject arbitrary web scripts and HTML code.

Updates for Affected Products

Product Severity Latest Patch
Surveillance Station 8.1 Moderate Upgrade to 8.1.2-5469 or above.

Mitigation

None

Detail

  • CVE-2017-16767

    • Severity: Moderate
    • CVSS3 Base Score: 6.5
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
    • Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter.
  • CVE-2017-16770

    • Severity: Moderate
    • CVSS3 Base Score: 4.3
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    • File and directory information exposure vulnerability in SYNO.SurveillanceStation.PersonalSettings.Photo in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to obtain other user's sensitive files via the filename parameter.

Revision History

Revision Date Description
1 2017-12-12 Initial public release.
2 2018-02-26 Disclosed vulnerability details.