Details of VAR-202106-1481

ID

VAR-202106-1481

CVE

CVE-2021-29090

TITLE

Synology Photo Station In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2021-007590

DESCRIPTION

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in PHP component in Synology Photo Station before 6.8.14-3500 allows remote authenticated users to execute arbitrary SQL command via unspecified vectors. Synology Photo Station Has SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Synology Photo Station is a set of solutions for sharing pictures, videos and blogs on the Internet from Synology, a Taiwan-based company

Trust: 1.71

sources: NVD: CVE-2021-29090 // JVNDB: JVNDB-2021-007590 // VULHUB: VHN-388630

AFFECTED PRODUCTS

vendor:	synology	model:	photo station	scope:	gte	version:	6.8	Trust: 1.0
vendor:	synology	model:	photo station	scope:	lt	version:	6.8.14-3500	Trust: 1.0
vendor:	synology	model:	photo station	scope:	eq	version:	-	Trust: 0.8
vendor:	synology	model:	photo station	scope:	eq	version:	6.8.14-3500	Trust: 0.8

sources: JVNDB: JVNDB-2021-007590 // NVD: CVE-2021-29090

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-29090
value:	HIGH
Trust: 1.0
security@synology.com:	CVE-2021-29090
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-29090
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202106-116
value:	HIGH
Trust: 0.6
VULHUB:	VHN-388630
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2021-29090
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-388630
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2021-29090
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2021-007590
baseSeverity:	HIGH
baseScore:	7.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-388630 // JVNDB: JVNDB-2021-007590 // CNNVD: CNNVD-202106-116 // NVD: CVE-2021-29090 // NVD: CVE-2021-29090

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.1
problemtype:	SQL injection (CWE-89) [ Other ]	Trust: 0.8

sources: VULHUB: VHN-388630 // JVNDB: JVNDB-2021-007590 // NVD: CVE-2021-29090

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202106-116

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202106-116

PATCH

title:	Synology-SA-20	url:	https://www.synology.com/security/advisory/Synology_SA_20_20	Trust: 0.8
title:	Synology Photo Station SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=152618	Trust: 0.6

sources: JVNDB: JVNDB-2021-007590 // CNNVD: CNNVD-202106-116

EXTERNAL IDS

db:	NVD	id:	CVE-2021-29090	Trust: 3.3
db:	JVNDB	id:	JVNDB-2021-007590	Trust: 0.8
db:	CNNVD	id:	CNNVD-202106-116	Trust: 0.6
db:	VULHUB	id:	VHN-388630	Trust: 0.1

sources: VULHUB: VHN-388630 // JVNDB: JVNDB-2021-007590 // CNNVD: CNNVD-202106-116 // NVD: CVE-2021-29090

REFERENCES

url:	https://www.synology.com/security/advisory/synology_sa_20_20	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-29090	Trust: 1.4

sources: VULHUB: VHN-388630 // JVNDB: JVNDB-2021-007590 // CNNVD: CNNVD-202106-116 // NVD: CVE-2021-29090

SOURCES

db:	VULHUB	id:	VHN-388630
db:	JVNDB	id:	JVNDB-2021-007590
db:	CNNVD	id:	CNNVD-202106-116
db:	NVD	id:	CVE-2021-29090

LAST UPDATE DATE

2024-08-14T15:17:10.616000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-388630	date:	2021-06-10T00:00:00
db:	JVNDB	id:	JVNDB-2021-007590	date:	2022-02-17T06:42:00
db:	CNNVD	id:	CNNVD-202106-116	date:	2021-06-11T00:00:00
db:	NVD	id:	CVE-2021-29090	date:	2021-06-10T17:39:20.460

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-388630	date:	2021-06-02T00:00:00
db:	JVNDB	id:	JVNDB-2021-007590	date:	2022-02-17T00:00:00
db:	CNNVD	id:	CNNVD-202106-116	date:	2021-06-01T00:00:00
db:	NVD	id:	CVE-2021-29090	date:	2021-06-02T02:15:06.960