Full Disclosure mailing list archives
Multiple Cross-Site Scripting vulnerabilities in Synology Download Station
From: "Securify B.V." <lists () securify nl>
Date: Wed, 9 Sep 2015 20:16:33 +0200
------------------------------------------------------------------------ Multiple Cross-Site Scripting vulnerabilities in Synology Download Station ------------------------------------------------------------------------ Han Sahin, September 2015 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Multiple Cross-Site Scripting vulnerabilities were found in Synology Download Station. These issues allow attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials if available, performing arbitrary actions on their behalf but also performing arbitrary redirects to potential malicious websites. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ These issues have been tested on Synology Download Station version 3.5-2956 and version 3.5-2962. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Synology reports that these issue have been resolved in: - Download Station version 3.5-2962 [Create download task via file upload] - Download Station version 3.5-2967 [Create download task via URL] ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20150809/multiple_cross_site_scripting_vulnerabilities_in_synology_download_station.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Multiple Cross-Site Scripting vulnerabilities in Synology Download Station Securify B.V. (Sep 09)