Sign-up

ID

VAR-201712-0380


CVE

CVE-2017-16766


TITLE

Synology DiskStation Manager Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-011711

DESCRIPTION

An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option. Synology DiskStation Manager (DSM) Contains an injection vulnerability.Information may be obtained and information may be altered. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information. Synology DSM versions earlier than 6.1.4-15217 and synodsmnotify in versions earlier than 6.0.3-8754-6 have an access control error vulnerability

Trust: 1.71

sources: NVD: CVE-2017-16766 // JVNDB: JVNDB-2017-011711 // VULHUB: VHN-107721

AFFECTED PRODUCTS

vendor:synologymodel:diskstation managerscope:ltversion:6.0.3-8754-6

Trust: 1.8

vendor:synologymodel:diskstation managerscope:ltversion:6.1.4-15217

Trust: 1.8

vendor:synologymodel:diskstation managerscope:gteversion:6.1.0

Trust: 1.0

vendor:synologymodel:diskstation managerscope:gteversion:6.0.0

Trust: 1.0

sources: JVNDB: JVNDB-2017-011711 // NVD: CVE-2017-16766

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-16766
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-16766
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201712-865
value: MEDIUM

Trust: 0.6

VULHUB: VHN-107721
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-16766
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-107721
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-16766
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.5
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-107721 // JVNDB: JVNDB-2017-011711 // CNNVD: CNNVD-201712-865 // NVD: CVE-2017-16766

PROBLEMTYPE DATA

problemtype:CWE-74

Trust: 1.9

problemtype:CWE-284

Trust: 1.0

sources: VULHUB: VHN-107721 // JVNDB: JVNDB-2017-011711 // NVD: CVE-2017-16766

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-865

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-201712-865

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-011711

PATCH
title:Synology-SA-17:74url:https://www.synology.com/en-global/support/security/Synology_SA_17_74
Trust: 0.8
title:Synology DiskStation Manager Fixes for access control error vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77314
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-011711 // 
            
            
            
            CNNVD: CNNVD-201712-865

EXTERNAL IDS
db:NVDid:CVE-2017-16766
Trust: 2.5
db:JVNDBid:JVNDB-2017-011711
Trust: 0.8
db:CNNVDid:CNNVD-201712-865
Trust: 0.7
db:VULHUBid:VHN-107721
Trust: 0.1
sources:
            
            
            VULHUB: VHN-107721 // 
            
            
            
            JVNDB: JVNDB-2017-011711 // 
            
            
            
            CNNVD: CNNVD-201712-865 // 
            
            
            
            NVD: CVE-2017-16766

REFERENCES
url:https://www.synology.com/en-global/support/security/synology_sa_17_74
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16766
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-16766
Trust: 0.8
sources:
            
            
            VULHUB: VHN-107721 // 
            
            
            
            JVNDB: JVNDB-2017-011711 // 
            
            
            
            CNNVD: CNNVD-201712-865 // 
            
            
            
            NVD: CVE-2017-16766

SOURCES
db:VULHUBid:VHN-107721
db:JVNDBid:JVNDB-2017-011711
db:CNNVDid:CNNVD-201712-865
db:NVDid:CVE-2017-16766

LAST UPDATE DATE
2024-11-23T23:12:17.483000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-107721date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2017-011711date:2018-01-24T00:00:00
db:CNNVDid:CNNVD-201712-865date:2019-10-17T00:00:00
db:NVDid:CVE-2017-16766date:2024-11-21T03:16:55.917

SOURCES RELEASE DATE
db:VULHUBid:VHN-107721date:2017-12-22T00:00:00
db:JVNDBid:JVNDB-2017-011711date:2018-01-24T00:00:00
db:CNNVDid:CNNVD-201712-865date:2017-12-25T00:00:00
db:NVDid:CVE-2017-16766date:2017-12-22T14:29:13.297