CVE-2017-15887

CRITICAL

Synology CardDAV Server < 6.0.7-0085 - Unauthenticated Brute-Force Attack via /principals

Title source: llm

Description

An improper restriction of excessive authentication attempts vulnerability in /principals in Synology CardDAV Server before 6.0.7-0085 allows remote attackers to obtain user credentials via a brute-force attack.

References (1)

Core 1

Core References

Issue Tracking, Vendor Advisory x_refsource_confirm

https://www.synology.com/en-global/support/security/Synology_SA_17_64_CardDAV_Server

Scores

CVSS v3 9.8

EPSS 0.0042

EPSS Percentile 62.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-307

Status published

Products (2)

synology/carddav_server < 6.0.7-0085

Synology/Synology CardDAV Server before 6.0.7-0085

Published Nov 07, 2017

Tracked Since Feb 18, 2026