ID

VAR-201802-0396


CVE

CVE-2017-16767


TITLE

Synology Surveillance Station Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-012808

DESCRIPTION

Cross-site scripting (XSS) vulnerability in User Profile in Synology Surveillance Station before 8.1.2-5469 allows remote authenticated users to inject arbitrary web script or HTML via the userDesc parameter. Synology Surveillance Station Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology Surveillance Station is an image management application from Synology Corporation. User Profile is one of the user information storage files

Trust: 1.71

sources: NVD: CVE-2017-16767 // JVNDB: JVNDB-2017-012808 // VULHUB: VHN-107722

AFFECTED PRODUCTS

vendor:synologymodel:surveillance stationscope:ltversion:8.1.2-5469

Trust: 1.8

sources: JVNDB: JVNDB-2017-012808 // NVD: CVE-2017-16767

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-16767
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-16767
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201802-698
value: MEDIUM

Trust: 0.6

VULHUB: VHN-107722
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2017-16767
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-107722
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-16767
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-107722 // JVNDB: JVNDB-2017-012808 // CNNVD: CNNVD-201802-698 // NVD: CVE-2017-16767

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-107722 // JVNDB: JVNDB-2017-012808 // NVD: CVE-2017-16767

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201802-698

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201802-698

CONFIGURATIONS

[
  {
    "CVE_data_version": "4.0",
    "nodes": [
      {
        "operator": "OR",
        "cpe_match": [
          {
            "vulnerable": true,
            "cpe22Uri": "cpe:/a:synology:surveillance_station"
          }
        ]
      }
    ]
  }
]

sources: JVNDB: JVNDB-2017-012808

PATCH

title:Synology-SA-17:77url:https://www.synology.com/en-global/support/security/Synology_SA_17_77

Trust: 0.8

title:Synology Surveillance Station User Profile Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=78720

Trust: 0.6

sources: JVNDB: JVNDB-2017-012808 // CNNVD: CNNVD-201802-698

EXTERNAL IDS

db:NVDid:CVE-2017-16767

Trust: 2.5

db:JVNDBid:JVNDB-2017-012808

Trust: 0.8

db:CNNVDid:CNNVD-201802-698

Trust: 0.6

db:VULHUBid:VHN-107722

Trust: 0.1

sources: VULHUB: VHN-107722 // JVNDB: JVNDB-2017-012808 // CNNVD: CNNVD-201802-698 // NVD: CVE-2017-16767

REFERENCES

url:https://www.synology.com/en-global/support/security/synology_sa_17_77

Trust: 1.7

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16767

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2017-16767

Trust: 0.8

sources: VULHUB: VHN-107722 // JVNDB: JVNDB-2017-012808 // CNNVD: CNNVD-201802-698 // NVD: CVE-2017-16767

SOURCES

db:VULHUBid:VHN-107722
db:JVNDBid:JVNDB-2017-012808
db:CNNVDid:CNNVD-201802-698
db:NVDid:CVE-2017-16767

LAST UPDATE DATE

2024-11-23T22:38:16.635000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-107722date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2017-012808date:2018-04-19T00:00:00
db:CNNVDid:CNNVD-201802-698date:2019-10-17T00:00:00
db:NVDid:CVE-2017-16767date:2024-11-21T03:16:56.037

SOURCES RELEASE DATE

db:VULHUBid:VHN-107722date:2018-02-27T00:00:00
db:JVNDBid:JVNDB-2017-012808date:2018-04-19T00:00:00
db:CNNVDid:CNNVD-201802-698date:2018-02-28T00:00:00
db:NVDid:CVE-2017-16767date:2018-02-27T15:29:00.317