Improper Authorization in SYNO.Cal.Event Affects Synology Calendar Product
CVE-2018-8927

5.4MEDIUM

Key Information:

Vendor: Synology
Status: Calendar
Vendor: CVE Published:; 14 June 2018

Summary

The Synology Calendar product is susceptible to an improper authorization vulnerability, allowing remote authenticated users to create arbitrary calendar events. This issue arises due to inadequate validation of the cal_id and original_cal_id parameters, which can be exploited to manipulate calendar entries without proper permissions. Users should update to the latest version to mitigate the risk.

Affected Version(s)

Calendar < 2.1.2-0511

References

https://www.synology.com/en-global/support/security/Synol...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 14, 2018
Vulnerability Reserved
Mar 22, 2018