Cross-Site Scripting Vulnerability in Synology Surveillance Station
CVE-2017-16767

5.4MEDIUM

Key Information:

Vendor: Synology
Status: Surveillance Station
Vendor: CVE Published:; 27 February 2018

What is CVE-2017-16767?

A cross-site scripting (XSS) vulnerability has been identified in the User Profile component of Synology Surveillance Station prior to version 8.1.2-5469. This security flaw enables remote authenticated users to exploit the userDesc parameter, allowing them to inject arbitrary web scripts or HTML. Such vulnerabilities pose significant risks as they can be used by attackers to execute malicious code in the context of users' sessions, potentially leading to unauthorized access or data theft.

Affected Version(s)

Surveillance Station before 8.1.2-5469

References

https://www.synology.com/en-global/support/security/Synol...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 27, 2018
Vulnerability Reserved
Nov 10, 2017