[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Reflected Cross-Site Scripting in Synology DiskStation Manager



------------------------------------------------------------------------
Reflected Cross-Site Scripting in Synology DiskStation Manager
------------------------------------------------------------------------
Han Sahin, May 2015

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site scripting vulnerability was found in Synology
DiskStation Manager. This issue allows attackers to perform a wide
variety of actions, such as stealing victims' session tokens or login
credentials if available, performing arbitrary actions on their behalf
but also performing arbitrary redirects to potential malicious websites.

------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
This issue was tested on Synology DiskStation Manager version 5.2-5565.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Synology reports that this issue has been resolved in DiskStation
Manager version 5.2-5565 Update 1 (2015/05/21).
https://www.synology.com/en-global/releaseNote/DS214play

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20150503/reflected_cross_site_scripting_in_synology_diskstation_manager.html