Cross-Site Scripting Vulnerability in Synology Download Station
CVE-2015-6913

Currently unrated

Key Information:

Vendor: Synology
Status: Download Station
Vendor: CVE Published:; 11 September 2015

Summary

An XSS vulnerability exists in the 'Create download task via URL' feature of Synology Download Station. This flaw allows remote attackers to inject arbitrary web scripts or HTML through the 'urls' parameter during an 'add_url_task' action. Users of Download Station versions prior to 3.5-2967 are particularly at risk, as malicious actors could exploit this vulnerability to execute harmful scripts in the context of the user's web browser, potentially compromising sensitive information.

References

http://www.securityfocus.com/archive/1/536428/100/0/threaded

mailing-listx_refsource_BUGTRAQ

http://packetstormsecurity.com/files/133520/Synology-Down...

x_refsource_MISC

https://www.synology.com/en-global/releaseNote/DownloadSt...

x_refsource_CONFIRM

Timeline

Vulnerability published
Sep 11, 2015
Vulnerability Reserved
Sep 11, 2015