Cross-Site Scripting Flaws in Synology Chat by Synology
CVE-2017-15892

5.4MEDIUM

Key Information:

Vendor: Synology
Status: Chat
Vendor: CVE Published:; 28 December 2017

Summary

Multiple Cross-Site Scripting vulnerabilities exist in the Slash Command Creator feature of Synology Chat prior to version 2.0.0-1124. These flaws enable remote authenticated users to inject arbitrary web scripts or HTML code through specific parameters, including COMMAND, COMMANDS INSTRUCTION, and DESCRIPTION. This capability poses significant security risks as it may lead to unauthorized access or manipulation of the affected application.

Affected Version(s)

Chat before 2.0.0-1124

References

https://www.synology.com/en-global/support/security/Synol...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 28, 2017
Vulnerability Reserved
Oct 25, 2017