------------------------------------------------------------------------ Multiple Cross-Site Scripting vulnerabilities in Synology Download Station ------------------------------------------------------------------------ Han Sahin, September 2015 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Multiple Cross-Site Scripting vulnerabilities were found in Synology Download Station. These issues allow attackers to perform a wide variety of actions, such as stealing victims' session tokens or login credentials if available, performing arbitrary actions on their behalf but also performing arbitrary redirects to potential malicious websites. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ These issues have been tested on Synology Download Station version 3.5-2956 and version 3.5-2962. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Synology reports that these issue have been resolved in: - Download Station version 3.5-2962 [Create download task via file upload] - Download Station version 3.5-2967 [Create download task via URL] ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20150809/multiple_cross_site_scripting_vulnerabilities_in_synology_download_station.html
