CVE-2021-47960
MEDIUMSynology SSL VPN Client < 1.4.5-0684 - Information Disclosure via Local HTTP Server
Title source: llmDescription
A files or directories accessible to external parties vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access files within the installation directory via a local HTTP server bound to the loopback interface. By leveraging user interaction with a crafted web page, attackers may retrieve sensitive files such as configuration files, certificates, and logs, leading to information disclosure.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
Synology-SA-26:05 Synology SSL VPN Client
https://www.synology.com/en-global/security/advisory/Synology_SA_26_05
Scores
CVSS v3
6.5
EPSS
0.0003
EPSS Percentile
10.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-552
Status
published
Products (1)
Synology/Synology SSL VPN Client
< 1.4.5-0684
Published
Apr 10, 2026
Tracked Since
Apr 10, 2026