Bugtraq mailing list archives
Reflected Cross-Site Scripting in Synology DiskStation Manager
From: "Securify B.V." <lists () securify nl>
Date: Mon, 25 May 2015 16:42:29 +0200
------------------------------------------------------------------------ Reflected Cross-Site Scripting in Synology DiskStation Manager ------------------------------------------------------------------------ Han Sahin, May 2015 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A reflected Cross-Site scripting vulnerability was found in Synology DiskStation Manager. This issue allows attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials if available, performing arbitrary actions on their behalf but also performing arbitrary redirects to potential malicious websites. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was tested on Synology DiskStation Manager version 5.2-5565. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Synology reports that this issue has been resolved in DiskStation Manager version 5.2-5565 Update 1 (2015/05/21). https://www.synology.com/en-global/releaseNote/DS214play ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20150503/reflected_cross_site_scripting_in_synology_diskstation_manager.html
Current thread:
- Reflected Cross-Site Scripting in Synology DiskStation Manager Securify B.V. (May 25)