Description
An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.synology.com/en-global/support/security/Synology_SA_17_74
Scores
CVSS v3
6.5
EPSS
0.0043
EPSS Percentile
62.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-284
CWE-74
Status
published
Products (4)
Synology/DiskStation Manager (DSM)
before 6.0.3-8754-6
Synology/DiskStation Manager (DSM)
before 6.1.4-15217
synology/diskstation_manager
6.0.0 - 6.0.3-8754-6
synology/diskstation_manager
6.1.0 - 6.1.4-15217
Published
Dec 22, 2017
Tracked Since
Feb 18, 2026