CVE-2020-27650

MEDIUM

Synology DSM <6.2.3-25426-2 - Info Disclosure

Title source: llm

Description

Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

References (1)

[Vendor Advisory] https://www.synology.com/security/advisory/Synology_SA_20_18

Scores

CVSS v3 5.8

EPSS 0.0017

EPSS Percentile 37.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

Classification

CWE

CWE-614 CWE-311

Status published

Affected Products (2)

synology/diskstation_manager < 6.2.3-25426-2

synology/skynas_firmware < 6.2.3-25426

Timeline

Published Oct 29, 2020

Tracked Since Feb 18, 2026