SQL Injection Vulnerability in Synology SafeAccess
CVE-2020-27660

9.6CRITICAL

Key Information:

Vendor
Synology
Status
Safe Access
Vendor
CVE Published:
30 November 2020

Summary

A critical SQL injection vulnerability exists in the request.cgi component of Synology SafeAccess prior to version 1.2.3-0234. This flaw allows remote attackers to exploit the domain parameter, enabling them to execute arbitrary SQL commands on the underlying database. Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data and potential manipulation of the database, posing significant security risks to affected systems.

Affected Version(s)

Safe Access < 1.2.3-0234

References

https://www.synology.com/security/advisory/Synology_SA_20_25
x_refsource_CONFIRM
https://www.talosintelligence.com/vulnerability_reports/T...
x_refsource_MISC
https://github.com/thomasfady/Synology_SA_20_25
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.