Cross-Site Scripting Issue in Synology Note Station
CVE-2019-11827

6.5MEDIUM

Key Information:

Vendor: Synology
Status: Note Station
Vendor: CVE Published:; 30 June 2019

Summary

The Synology Note Station application is susceptible to a cross-site scripting (XSS) vulnerability which can be exploited by remote attackers. By manipulating the 'object_id' parameter, an attacker can inject arbitrary web script or HTML code. This could lead to unauthorized actions in the user's session or exposure of sensitive information. Users are advised to upgrade to Note Station version 2.5.3-0863 or later to mitigate this risk. For further details, refer to the official security advisory from Synology.

Affected Version(s)

Note Station < 2.5.3-0863

References

https://www.synology.com/security/advisory/Synology_SA_19_08

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 30, 2019
Vulnerability Reserved
May 8, 2019