Sign-up

ID

VAR-201506-0182


CVE

CVE-2015-4655


TITLE

Synology DiskStation Manager Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2015-003207

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Update 1 allows remote attackers to inject arbitrary web script or HTML via the "compound" parameter to entry.cgi. Synology DiskStation Manager is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Synology DiskStation Manager 5.2-5565 is vulnerable. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information

Trust: 2.07

sources: NVD: CVE-2015-4655 // JVNDB: JVNDB-2015-003207 // BID: 74811 // VULHUB: VHN-82616 // VULMON: CVE-2015-4655

AFFECTED PRODUCTS

vendor:synologymodel:diskstation managerscope:lteversion:5.2-5565

Trust: 1.0

vendor:synologymodel:diskstation managerscope:ltversion:5.2-5565 update 1

Trust: 0.8

vendor:synologymodel:diskstation managerscope:eqversion:5.2-5565

Trust: 0.6

sources: JVNDB: JVNDB-2015-003207 // CNNVD: CNNVD-201505-528 // NVD: CVE-2015-4655

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-4655
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-4655
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201505-528
value: MEDIUM

Trust: 0.6

VULHUB: VHN-82616
value: MEDIUM

Trust: 0.1

VULMON: CVE-2015-4655
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-4655
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-82616
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-82616 // VULMON: CVE-2015-4655 // JVNDB: JVNDB-2015-003207 // CNNVD: CNNVD-201505-528 // NVD: CVE-2015-4655

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-82616 // JVNDB: JVNDB-2015-003207 // NVD: CVE-2015-4655

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201505-528

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201505-528

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-003207

PATCH
title:DS214play Release Notesurl:https://www.synology.com/en-global/releaseNote/DS214play
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-003207

EXTERNAL IDS
db:NVDid:CVE-2015-4655
Trust: 2.9
db:BIDid:74811
Trust: 2.1
db:JVNDBid:JVNDB-2015-003207
Trust: 0.8
db:CNNVDid:CNNVD-201505-528
Trust: 0.7
db:VULHUBid:VHN-82616
Trust: 0.1
db:VULMONid:CVE-2015-4655
Trust: 0.1
sources:
            
            
            VULHUB: VHN-82616 // 
            
            
            
            VULMON: CVE-2015-4655 // 
            
            
            
            BID: 74811 // 
            
            
            
            JVNDB: JVNDB-2015-003207 // 
            
            
            
            CNNVD: CNNVD-201505-528 // 
            
            
            
            NVD: CVE-2015-4655

REFERENCES
url:https://www.securify.nl/advisory/sfy20150503/reflected_cross_site_scripting_in_synology_diskstation_manager.html
Trust: 2.6
url:http://www.securityfocus.com/bid/74811
Trust: 1.9
url:https://www.synology.com/en-global/releasenote/ds214play
Trust: 1.8
url:http://seclists.org/fulldisclosure/2015/may/109
Trust: 1.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-4655
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-4655
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-82616 // 
            
            
            
            VULMON: CVE-2015-4655 // 
            
            
            
            JVNDB: JVNDB-2015-003207 // 
            
            
            
            CNNVD: CNNVD-201505-528 // 
            
            
            
            NVD: CVE-2015-4655

CREDITS
Han Sahin
Trust: 0.9
sources:
            
            
            BID: 74811 // 
            
            
            
            CNNVD: CNNVD-201505-528

SOURCES
db:VULHUBid:VHN-82616
db:VULMONid:CVE-2015-4655
db:BIDid:74811
db:JVNDBid:JVNDB-2015-003207
db:CNNVDid:CNNVD-201505-528
db:NVDid:CVE-2015-4655

LAST UPDATE DATE
2024-11-23T22:49:22.585000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-82616date:2016-11-28T00:00:00
db:VULMONid:CVE-2015-4655date:2016-11-28T00:00:00
db:BIDid:74811date:2015-07-15T00:38:00
db:JVNDBid:JVNDB-2015-003207date:2015-06-22T00:00:00
db:CNNVDid:CNNVD-201505-528date:2015-06-19T00:00:00
db:NVDid:CVE-2015-4655date:2024-11-21T02:31:29.653

SOURCES RELEASE DATE
db:VULHUBid:VHN-82616date:2015-06-18T00:00:00
db:VULMONid:CVE-2015-4655date:2015-06-18T00:00:00
db:BIDid:74811date:2015-05-25T00:00:00
db:JVNDBid:JVNDB-2015-003207date:2015-06-22T00:00:00
db:CNNVDid:CNNVD-201505-528date:2015-05-26T00:00:00
db:NVDid:CVE-2015-4655date:2015-06-18T18:59:06.910