Cross-Site Scripting Vulnerability in Synology Calendar
CVE-2019-11825

6.5MEDIUM

Key Information:

Vendor: Synology
Status: Calendar
Vendor: CVE Published:; 30 June 2019

What is CVE-2019-11825?

A cross-site scripting vulnerability exists in the Event Editor component of Synology Calendar versions before 2.3.0-0615. This weakness allows remote attackers to craft malicious web scripts or HTML content that can be injected via the title parameter. Successful exploitation could lead to unauthorized actions on behalf of users, compromising the integrity and security of user sessions.

Affected Version(s)

Calendar < 2.3.0-0615

References

https://www.synology.com/security/advisory/Synology_SA_19_04

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2019
Vulnerability Reserved
May 8, 2019