Details of VAR-201812-0641

ID

VAR-201812-0641

CVE

CVE-2018-8917

TITLE

Synology DiskStation Manager Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-013014

DESCRIPTION

Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary web script or HTML via the host parameter. Synology DiskStation Manager (DSM) Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information

Trust: 1.71

sources: NVD: CVE-2018-8917 // JVNDB: JVNDB-2018-013014 // VULHUB: VHN-138949

AFFECTED PRODUCTS

vendor:	synology	model:	diskstation manager	scope:	lt	version:	6.1.6-15266	Trust: 1.8
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.2	Trust: 0.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.2-3243	Trust: 0.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.3-3810	Trust: 0.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.0-2259	Trust: 0.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.0	Trust: 0.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	3.0	Trust: 0.6
vendor:	synology	model:	diskstation manager	scope:	eq	version:	4.3	Trust: 0.6

sources: JVNDB: JVNDB-2018-013014 // CNNVD: CNNVD-201812-1086 // NVD: CVE-2018-8917

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-8917
value:	MEDIUM
Trust: 1.0
security@synology.com:	CVE-2018-8917
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-8917
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201812-1086
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-138949
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-8917
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-138949
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-8917
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.0
Trust: 1.8
security@synology.com:	CVE-2018-8917
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.3
impactScore:	3.7
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-138949 // JVNDB: JVNDB-2018-013014 // CNNVD: CNNVD-201812-1086 // NVD: CVE-2018-8917 // NVD: CVE-2018-8917

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-138949 // JVNDB: JVNDB-2018-013014 // NVD: CVE-2018-8917

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201812-1086

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201812-1086

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-013014

PATCH

title:	Synology-SA-18:14 DSM	url:	https://www.synology.com/security/advisory/Synology_SA_18_14	Trust: 0.8
title:	Synology DiskStation Manager Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=88160	Trust: 0.6

sources: JVNDB: JVNDB-2018-013014 // CNNVD: CNNVD-201812-1086

EXTERNAL IDS

db:	NVD	id:	CVE-2018-8917	Trust: 2.5
db:	JVNDB	id:	JVNDB-2018-013014	Trust: 0.8
db:	CNNVD	id:	CNNVD-201812-1086	Trust: 0.7
db:	VULHUB	id:	VHN-138949	Trust: 0.1

sources: VULHUB: VHN-138949 // JVNDB: JVNDB-2018-013014 // CNNVD: CNNVD-201812-1086 // NVD: CVE-2018-8917

REFERENCES

url:	https://www.synology.com/security/advisory/synology_sa_18_14	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8917	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8917	Trust: 0.8

sources: VULHUB: VHN-138949 // JVNDB: JVNDB-2018-013014 // CNNVD: CNNVD-201812-1086 // NVD: CVE-2018-8917

SOURCES

db:	VULHUB	id:	VHN-138949
db:	JVNDB	id:	JVNDB-2018-013014
db:	CNNVD	id:	CNNVD-201812-1086
db:	NVD	id:	CVE-2018-8917

LAST UPDATE DATE

2024-11-23T22:06:22.938000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-138949	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-013014	date:	2019-02-13T00:00:00
db:	CNNVD	id:	CNNVD-201812-1086	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-8917	date:	2024-11-21T04:14:35.960

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-138949	date:	2018-12-24T00:00:00
db:	JVNDB	id:	JVNDB-2018-013014	date:	2019-02-13T00:00:00
db:	CNNVD	id:	CNNVD-201812-1086	date:	2018-12-25T00:00:00
db:	NVD	id:	CVE-2018-8917	date:	2018-12-24T15:29:00.280