Cross-Site Request Forgery Vulnerability in Synology Photo Station
CVE-2018-8925

8.8HIGH

Key Information:

Vendor: Synology
Status: Photo Station
Vendor: CVE Published:; 8 June 2018

Summary

A cross-site request forgery (CSRF) vulnerability exists in the admin/user.php function of Synology Photo Station before versions 6.8.5-3471 and 6.3-2975. This flaw allows remote attackers to exploit user sessions, leading to unauthorized actions by hijacking the authentication of administrators. By manipulating parameters such as username, password, action, or others, an attacker can gain control over administrator operations, posing a significant security risk.

Affected Version(s)

Photo Station < 6.8.5-3471

Photo Station < 6.3-2975

References

https://www.synology.com/zh-tw/support/security/Synology_...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jun 8, 2018
Vulnerability Reserved
Mar 22, 2018