[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Reflected Cross-Site Scripting in Synology DiskStation Manager
From: "Securify B.V." <lists () securify ! nl>
Date: 2015-05-25 14:42:18
Message-ID: 556334CA.6090806 () securify ! nl
[Download RAW message or body]
------------------------------------------------------------------------
Reflected Cross-Site Scripting in Synology DiskStation Manager
------------------------------------------------------------------------
Han Sahin, May 2015
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A reflected Cross-Site scripting vulnerability was found in Synology
DiskStation Manager. This issue allows attackers to perform a wide
variety of actions, such as stealing victims' session tokens or login
credentials if available, performing arbitrary actions on their behalf
but also performing arbitrary redirects to potential malicious websites.
------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
This issue was tested on Synology DiskStation Manager version 5.2-5565.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Synology reports that this issue has been resolved in DiskStation
Manager version 5.2-5565 Update 1 (2015/05/21).
https://www.synology.com/en-global/releaseNote/DS214play
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20150503/reflected_cross_site_scripting_in_synology_diskstation_manager.html
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic