Session Cookie Vulnerability in Synology Router Manager
CVE-2020-27658

7.1HIGH

Key Information:

Vendor: Synology
Status: Synology Router Manager (srm)
Vendor: CVE Published:; 29 October 2020

Summary

The Synology Router Manager (SRM) prior to version 1.2.4-8081 is prone to a session management vulnerability due to the absence of the HTTPOnly flag in its Set-Cookie header for session cookies. This oversight allows remote attackers to exploit the vulnerability by gaining script-level access to session cookies, potentially leading to the disclosure of sensitive information. Users are advised to update to the latest SRM version to mitigate the risks associated with this vulnerability.

Affected Version(s)

Synology Router Manager (SRM) < 1.2.4-8081

References

https://www.synology.com/security/advisory/Synology_SA_20_14

x_refsource_CONFIRM

https://www.talosintelligence.com/vulnerability_reports/T...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 29, 2020
Vulnerability Reserved
Oct 22, 2020