Cross-Site Scripting Vulnerability in Synology Download Station
CVE-2015-6909

Currently unrated

Key Information:

Vendor: Synology
Status: Download Station
Vendor: CVE Published:; 11 September 2015

Summary

The Synology Download Station prior to version 3.5-2962 is susceptible to a Cross-Site Scripting (XSS) vulnerability. This flaw is found in the 'Create download task via file upload' feature, permitting remote attackers to insert arbitrary web scripts or HTML code through the name element within the Info dictionary of a torrent file. Successful exploitation could lead to session hijacking, data theft, or manipulation of the user interface.

References

http://www.securityfocus.com/archive/1/536428/100/0/threaded

mailing-listx_refsource_BUGTRAQ

http://packetstormsecurity.com/files/133520/Synology-Down...

x_refsource_MISC

https://www.synology.com/en-global/releaseNote/DownloadSt...

x_refsource_CONFIRM

Timeline

Vulnerability published
Sep 11, 2015
Vulnerability Reserved
Sep 11, 2015