Details of VAR-201904-0529

ID

VAR-201904-0529

CVE

CVE-2017-16774

TITLE

Synology DiskStation Manager Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-014408

DESCRIPTION

Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter. Synology DiskStation Manager (DSM) Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information. An attacker could exploit this vulnerability to execute client code

Trust: 1.71

sources: NVD: CVE-2017-16774 // JVNDB: JVNDB-2017-014408 // VULHUB: VHN-107730

AFFECTED PRODUCTS

vendor:	synology	model:	diskstation manager	scope:	lt	version:	6.1.4-15217-3	Trust: 1.8
vendor:	synology	model:	diskstation manager	scope:	gte	version:	5.2	Trust: 1.0

sources: JVNDB: JVNDB-2017-014408 // NVD: CVE-2017-16774

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-16774
value:	MEDIUM
Trust: 1.0
security@synology.com:	CVE-2017-16774
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-16774
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201711-361
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-107730
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2017-16774
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-107730
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-16774
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.0
Trust: 1.8
security@synology.com:	CVE-2017-16774
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.3
impactScore:	3.7
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-107730 // JVNDB: JVNDB-2017-014408 // CNNVD: CNNVD-201711-361 // NVD: CVE-2017-16774 // NVD: CVE-2017-16774

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-107730 // JVNDB: JVNDB-2017-014408 // NVD: CVE-2017-16774

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201711-361

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201711-361

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-014408

PATCH

title:	Synology-SA-18:26	url:	https://www.synology.com/security/advisory/Synology_SA_18_26	Trust: 0.8
title:	Synology DiskStation Manager Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91038	Trust: 0.6

sources: JVNDB: JVNDB-2017-014408 // CNNVD: CNNVD-201711-361

EXTERNAL IDS

db:	NVD	id:	CVE-2017-16774	Trust: 2.5
db:	JVNDB	id:	JVNDB-2017-014408	Trust: 0.8
db:	CNNVD	id:	CNNVD-201711-361	Trust: 0.7
db:	VULHUB	id:	VHN-107730	Trust: 0.1

sources: VULHUB: VHN-107730 // JVNDB: JVNDB-2017-014408 // CNNVD: CNNVD-201711-361 // NVD: CVE-2017-16774

REFERENCES

url:	https://www.synology.com/security/advisory/synology_sa_18_26	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2017-16774	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16774	Trust: 0.8

sources: VULHUB: VHN-107730 // JVNDB: JVNDB-2017-014408 // CNNVD: CNNVD-201711-361 // NVD: CVE-2017-16774

SOURCES

db:	VULHUB	id:	VHN-107730
db:	JVNDB	id:	JVNDB-2017-014408
db:	CNNVD	id:	CNNVD-201711-361
db:	NVD	id:	CVE-2017-16774

LAST UPDATE DATE

2024-11-23T22:37:53.388000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-107730	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2017-014408	date:	2019-05-07T00:00:00
db:	CNNVD	id:	CNNVD-201711-361	date:	2019-10-10T00:00:00
db:	NVD	id:	CVE-2017-16774	date:	2024-11-21T03:16:56.797

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-107730	date:	2019-04-01T00:00:00
db:	JVNDB	id:	JVNDB-2017-014408	date:	2019-05-07T00:00:00
db:	CNNVD	id:	CNNVD-201711-361	date:	2017-11-13T00:00:00
db:	NVD	id:	CVE-2017-16774	date:	2019-04-01T15:29:00.263