SecurityFocus

Reflected Cross-Site Scripting in Synology DiskStation Manager May 25 2015 02:42PM
Securify B.V. (lists securify nl)

------------------------------------------------------------------------

Reflected Cross-Site Scripting in Synology DiskStation Manager
------------------------------------------------------------------------

Han Sahin, May 2015

------------------------------------------------------------------------

Abstract
------------------------------------------------------------------------

A reflected Cross-Site scripting vulnerability was found in Synology
DiskStation Manager. This issue allows attackers to perform a wide
variety of actions, such as stealing victims' session tokens or login
credentials if available, performing arbitrary actions on their behalf
but also performing arbitrary redirects to potential malicious websites.

------------------------------------------------------------------------

Tested version
------------------------------------------------------------------------

This issue was tested on Synology DiskStation Manager version 5.2-5565.

------------------------------------------------------------------------

Fix
------------------------------------------------------------------------

Synology reports that this issue has been resolved in DiskStation
Manager version 5.2-5565 Update 1 (2015/05/21).
https://www.synology.com/en-global/releaseNote/DS214play

------------------------------------------------------------------------

Details
------------------------------------------------------------------------

https://www.securify.nl/advisory/SFY20150503/reflected_cross_site_script
ing_in_synology_diskstation_manager.html

[ reply ]