Synology-SA-18:26 DSM

Publish Time: 2018-05-31 10:52:07 UTC+8

Last Updated: 2019-03-31 23:10:04 UTC+8

Severity: Moderate

Status: Resolved

Abstract

A vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Synology DiskStation Manager (DSM).

Affected Products

Product	Severity	Fixed Release Availability
DSM 6.2	Not affected	None
DSM 6.1	Moderate	Upgrade to 6.1.4-15217-3 or above.
DSM 6.0	Moderate	Upgrade to 6.1.4-15217-3 or above.
DSM 5.2	Moderate	Upgrade to 6.1.4-15217-3 or above.

Mitigation

None

Detail

CVE-2017-16774
- Severity: Moderate
- CVSS3 Base Score: 6.5
- CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
- Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter.

Revision

Revision	Date	Description
1	2018-05-31	Initial public release.
2	2019-03-31	Disclosed vulnerability details.