Sign-up

ID

VAR-201904-0608


CVE

CVE-2018-13293


TITLE

Synology DiskStation Manager Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-015176

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to inject arbitrary web script or HTML via the URL parameter. Synology DiskStation Manager (DSM) Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology DiskStation Manager (DSM) is an operating system for network storage servers (NAS) developed by Synology, Taiwan. The operating system can manage data, documents, photos, music and other information. An attacker could exploit this vulnerability to execute client code

Trust: 1.71

sources: NVD: CVE-2018-13293 // JVNDB: JVNDB-2018-015176 // VULHUB: VHN-123338

AFFECTED PRODUCTS

vendor:synologymodel:diskstation managerscope:ltversion:6.2.1-23824

Trust: 1.8

vendor:synologymodel:diskstation managerscope:gteversion:5.2

Trust: 1.0

sources: JVNDB: JVNDB-2018-015176 // NVD: CVE-2018-13293

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-13293
value: MEDIUM

Trust: 1.0

security@synology.com: CVE-2018-13293
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-13293
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201904-013
value: MEDIUM

Trust: 0.6

VULHUB: VHN-123338
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2018-13293
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-123338
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-13293
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.8

security@synology.com: CVE-2018-13293
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 1.7
impactScore: 3.7
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-123338 // JVNDB: JVNDB-2018-015176 // CNNVD: CNNVD-201904-013 // NVD: CVE-2018-13293 // NVD: CVE-2018-13293

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-123338 // JVNDB: JVNDB-2018-015176 // NVD: CVE-2018-13293

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-013

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201904-013

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-015176

PATCH
title:Synology-SA-18:51 DSMurl:https://www.synology.com/ja-jp/security/advisory/Synology_SA_18_51
Trust: 0.8
title:Synology DiskStation Manager Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90929
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-015176 // 
            
            
            
            CNNVD: CNNVD-201904-013

EXTERNAL IDS
db:NVDid:CVE-2018-13293
Trust: 2.5
db:JVNDBid:JVNDB-2018-015176
Trust: 0.8
db:CNNVDid:CNNVD-201904-013
Trust: 0.7
db:VULHUBid:VHN-123338
Trust: 0.1
sources:
            
            
            VULHUB: VHN-123338 // 
            
            
            
            JVNDB: JVNDB-2018-015176 // 
            
            
            
            CNNVD: CNNVD-201904-013 // 
            
            
            
            NVD: CVE-2018-13293

REFERENCES
url:https://www.synology.com/security/advisory/synology_sa_18_51
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2018-13293
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-13293
Trust: 0.8
sources:
            
            
            VULHUB: VHN-123338 // 
            
            
            
            JVNDB: JVNDB-2018-015176 // 
            
            
            
            CNNVD: CNNVD-201904-013 // 
            
            
            
            NVD: CVE-2018-13293

SOURCES
db:VULHUBid:VHN-123338
db:JVNDBid:JVNDB-2018-015176
db:CNNVDid:CNNVD-201904-013
db:NVDid:CVE-2018-13293

LAST UPDATE DATE
2024-11-23T22:12:06.590000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-123338date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2018-015176date:2019-05-09T00:00:00
db:CNNVDid:CNNVD-201904-013date:2019-10-10T00:00:00
db:NVDid:CVE-2018-13293date:2024-11-21T03:46:46.537

SOURCES RELEASE DATE
db:VULHUBid:VHN-123338date:2019-04-01T00:00:00
db:JVNDBid:JVNDB-2018-015176date:2019-05-09T00:00:00
db:CNNVDid:CNNVD-201904-013date:2019-04-01T00:00:00
db:NVDid:CVE-2018-13293date:2019-04-01T15:29:00.687