Synology-SA-17:68 Calendar

Publish Time: 2017-11-10 17:59:55 UTC+8

Last Updated: 2017-12-08 16:18:32 UTC+8

Severity: Important

Status: Resolved

Abstract

CVE-2017-15891 allows remote authenticated users to modify calendar events in an un-authorized manner via a vulnerable version of Calendar.

Severity

Impact: Important
CVSS3 Base Score: 7.1
CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Affected

Products
- Calendar before 2.0.1-0242
Models
- All Synology models

Description

Improper access control vulnerability in SYNO.Cal.EventBase in Synology Calendar before 2.0.1-0242 allows remote authenticated users to modify calendar event via unspecified vectors.

Mitigation

None

Update Availability

To fix the security issue, please go to DSM > Package Center and update Calendar to 2.0.1-0242 or above.