Reflected Cross-Site Scripting in Synology DiskStation Manager

"Securify B.V." <lists@xxxxxxxxxxx> · Mon, 25 May 2015 16:42:29 +0200



------------------------------------------------------------------------
Reflected Cross-Site Scripting in Synology DiskStation Manager
------------------------------------------------------------------------
Han Sahin, May 2015

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site scripting vulnerability was found in Synology
DiskStation Manager. This issue allows attackers to perform a wide
variety of actions, such as stealing victims' session tokens or login
credentials if available, performing arbitrary actions on their behalf
but also performing arbitrary redirects to potential malicious websites.

------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
This issue was tested on Synology DiskStation Manager version 5.2-5565.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Synology reports that this issue has been resolved in DiskStation
Manager version 5.2-5565 Update 1 (2015/05/21).
https://www.synology.com/en-global/releaseNote/DS214play

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20150503/reflected_cross_site_scripting_in_synology_diskstation_manager.html