Sign-up

ID

VAR-201812-0644


CVE

CVE-2018-8920


TITLE

Synology DiskStation Manager Injection vulnerability

Trust: 1.4

sources: JVNDB: JVNDB-2018-014393 // CNNVD: CNNVD-201812-1088

DESCRIPTION

Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary content to have an unspecified impact by exporting an archive in CSV format. Synology DiskStation Manager (DSM) Contains an injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Synology DiskStation Manager (DSM) is an operating system developed by Synology for network storage servers (NAS). The operating system can manage data, documents, photos, music and other information. There is a security vulnerability in the Log Exporter in versions earlier than Synology DSM 6.1.6-15266. A remote attacker could exploit this vulnerability to inject arbitrary content

Trust: 1.71

sources: NVD: CVE-2018-8920 // JVNDB: JVNDB-2018-014393 // VULHUB: VHN-138952

AFFECTED PRODUCTS

vendor:synologymodel:diskstation managerscope:ltversion:6.1.6-15266

Trust: 1.8

sources: JVNDB: JVNDB-2018-014393 // NVD: CVE-2018-8920

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-8920
value: HIGH

Trust: 1.0

security@synology.com: CVE-2018-8920
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-8920
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201812-1088
value: HIGH

Trust: 0.6

VULHUB: VHN-138952
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-8920
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-138952
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-8920
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

security@synology.com: CVE-2018-8920
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 1.7
impactScore: 3.7
version: 3.0

Trust: 1.0

NVD: CVE-2018-8920
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-138952 // JVNDB: JVNDB-2018-014393 // CNNVD: CNNVD-201812-1088 // NVD: CVE-2018-8920 // NVD: CVE-2018-8920

PROBLEMTYPE DATA

problemtype:CWE-116

Trust: 1.1

problemtype:CWE-74

Trust: 0.9

sources: VULHUB: VHN-138952 // JVNDB: JVNDB-2018-014393 // NVD: CVE-2018-8920

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201812-1088

TYPE

injection

Trust: 0.6

sources: CNNVD: CNNVD-201812-1088

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-014393

PATCH
title:Synology-SA-18:14 DSMurl:https://www.synology.com/ja-jp/security/advisory/Synology_SA_18_14
Trust: 0.8
title:Synology DiskStation Manager Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=88162
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-014393 // 
            
            
            
            CNNVD: CNNVD-201812-1088

EXTERNAL IDS
db:NVDid:CVE-2018-8920
Trust: 2.5
db:JVNDBid:JVNDB-2018-014393
Trust: 0.8
db:CNNVDid:CNNVD-201812-1088
Trust: 0.7
db:VULHUBid:VHN-138952
Trust: 0.1
sources:
            
            
            VULHUB: VHN-138952 // 
            
            
            
            JVNDB: JVNDB-2018-014393 // 
            
            
            
            CNNVD: CNNVD-201812-1088 // 
            
            
            
            NVD: CVE-2018-8920

REFERENCES
url:https://www.synology.com/security/advisory/synology_sa_18_14
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8920
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-8920
Trust: 0.8
sources:
            
            
            VULHUB: VHN-138952 // 
            
            
            
            JVNDB: JVNDB-2018-014393 // 
            
            
            
            CNNVD: CNNVD-201812-1088 // 
            
            
            
            NVD: CVE-2018-8920

SOURCES
db:VULHUBid:VHN-138952
db:JVNDBid:JVNDB-2018-014393
db:CNNVDid:CNNVD-201812-1088
db:NVDid:CVE-2018-8920

LAST UPDATE DATE
2024-11-23T22:21:52.291000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-138952date:2020-09-29T00:00:00
db:JVNDBid:JVNDB-2018-014393date:2019-03-19T00:00:00
db:CNNVDid:CNNVD-201812-1088date:2020-10-22T00:00:00
db:NVDid:CVE-2018-8920date:2024-11-21T04:14:36.333

SOURCES RELEASE DATE
db:VULHUBid:VHN-138952date:2018-12-24T00:00:00
db:JVNDBid:JVNDB-2018-014393date:2019-03-19T00:00:00
db:CNNVDid:CNNVD-201812-1088date:2018-12-25T00:00:00
db:NVDid:CVE-2018-8920date:2018-12-24T15:29:00.437