CVE-2015-3140

HIGH

Synametrics SynaMan Syncrify SynTail - Cross-Site Request Forgery

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2015-3140. PoCs published by Marlow Tannhauser.

AI-analyzed exploit summary This exploit demonstrates CSRF and stored XSS vulnerabilities in SynTail 1.5 Build 566. It includes PoC HTML forms that submit malicious payloads to create a new file bundle or user, leveraging persistent JSESSIONID for authentication bypass.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies SynaMan before 3.5 Build 1451, Syncrify before 3.7 Build 856, and SynTail before 1.5 Build 567

Exploits (3)

exploitdb WORKING POC
by Marlow Tannhauser · textwebappsphp
https://www.exploit-db.com/exploits/36953

This exploit demonstrates CSRF and stored XSS vulnerabilities in SynTail 1.5 Build 566. It includes PoC HTML forms that submit malicious payloads to create a new file bundle or user, leveraging persistent JSESSIONID for authentication bypass.

Classification
Working Poc 100%
Attack Type
Xss | Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: SynTail 1.5 Build 566
No auth needed
Prerequisites: Victim must visit a malicious page while authenticated to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Marlow Tannhauser · textwebappsphp
https://www.exploit-db.com/exploits/36950

The exploit demonstrates CSRF and stored XSS vulnerabilities in Syncrify Server 3.6 Build 833. It includes PoC HTML snippets that leverage CSRF to modify SMTP settings and administrator passwords, as well as stored XSS payloads in user fields and email configurations.

Classification
Working Poc 100%
Attack Type
Xss | Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Syncrify Server 3.6 Build 833
No auth needed
Prerequisites: Victim must visit a malicious webpage or open a crafted HTML file · Target server must be running vulnerable Syncrify version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Marlow Tannhauser · textwebappsphp
https://www.exploit-db.com/exploits/36951

This exploit demonstrates CSRF and stored XSS vulnerabilities in SynaMan 3.4 Build 1436. It includes PoC code for creating a shared folder and a new user via CSRF, as well as identifying multiple stored XSS vulnerabilities in various input fields.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: SynaMan 3.4 Build 1436
No auth needed
Prerequisites: Victim must visit a malicious webpage · Target application must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Mitigation, Release Notes, Vendor Advisory x_refsource_confirm
http://web.synametrics.com/SynamanVersionHistory.htm
Mitigation, Release Notes, Vendor Advisory x_refsource_confirm
https://web.synametrics.com/SyntailVersionHistory.htm
Mitigation, Release Notes, Vendor Advisory x_refsource_confirm
https://web.synametrics.com/SyncrifyVersionHistory.htm

Scores

CVSS v3 8.8
EPSS 0.0129
EPSS Percentile 66.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (17)
synametrics/synaman 1.0 build786 (2 CPE variants)
synametrics/synaman 1.1 build972
synametrics/synaman 2.0 build1185
synametrics/synaman 2.1 build1202
synametrics/synaman 2.2 build1205 (2 CPE variants)
synametrics/synaman 2.3 build1259 (2 CPE variants)
synametrics/synaman 2.4 build1272
synametrics/synaman 2.5 build1282 (15 CPE variants)
synametrics/synaman 2.6 build1328
synametrics/synaman 2.7 build1337 (3 CPE variants)
... and 7 more
Published Nov 21, 2019
Tracked Since Feb 18, 2026