Sign-up

ID

VAR-201506-0183


CVE

CVE-2015-4656


TITLE

Synology Photo Station Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2015-003208

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/. Synology Photo Station is prone to multiple security vulnerabilities, including: 1. Multiple cross-site scripting vulnerabilities 2. A command-injection vulnerability Attackers may exploit these issues to execute arbitrary commands and execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. Synology Photo Station 6.2-2858 is vulnerable; other versions may also be affected. Synology Photo Station is a set of solutions from Synology for sharing pictures, videos and blogs on the Internet. A remote attacker can exploit this vulnerability to inject arbitrary web script or HTML

Trust: 1.98

sources: NVD: CVE-2015-4656 // JVNDB: JVNDB-2015-003208 // BID: 74816 // VULHUB: VHN-82617

AFFECTED PRODUCTS

vendor:synologymodel:photo stationscope:lteversion:6.3-2944

Trust: 1.0

vendor:synologymodel:photo stationscope:ltversion:6.3-2945

Trust: 0.8

vendor:synologymodel:photo stationscope:eqversion:6.3-2944

Trust: 0.6

sources: JVNDB: JVNDB-2015-003208 // CNNVD: CNNVD-201505-525 // NVD: CVE-2015-4656

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-4656
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-4656
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201505-525
value: MEDIUM

Trust: 0.6

VULHUB: VHN-82617
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-4656
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-82617
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-82617 // JVNDB: JVNDB-2015-003208 // CNNVD: CNNVD-201505-525 // NVD: CVE-2015-4656

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-82617 // JVNDB: JVNDB-2015-003208 // NVD: CVE-2015-4656

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201505-525

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201505-525

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-003208

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-82617

PATCH
title:Photo Station-2945url:https://www.synology.com/en-us/support/security/Photo_Station_2945
Trust: 0.8
title:Release Notes for Photo Stationurl:https://www.synology.com/en-us/releaseNote/PhotoStation
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-003208

EXTERNAL IDS
db:NVDid:CVE-2015-4656
Trust: 2.8
db:BIDid:74816
Trust: 2.0
db:JVNDBid:JVNDB-2015-003208
Trust: 0.8
db:CNNVDid:CNNVD-201505-525
Trust: 0.7
db:VULHUBid:VHN-82617
Trust: 0.1
sources:
            
            
            VULHUB: VHN-82617 // 
            
            
            
            BID: 74816 // 
            
            
            
            JVNDB: JVNDB-2015-003208 // 
            
            
            
            CNNVD: CNNVD-201505-525 // 
            
            
            
            NVD: CVE-2015-4656

REFERENCES
url:https://www.securify.nl/advisory/sfy20150504/synology_photo_station_multiple_cross_site_scripting_vulnerabilities.html
Trust: 2.5
url:http://www.securityfocus.com/bid/74816
Trust: 1.7
url:https://www.synology.com/en-us/support/security/photo_station_2945
Trust: 1.7
url:http://seclists.org/fulldisclosure/2015/may/110
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-4656
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-4656
Trust: 0.8
url:http://www.synology.com/us/products/features/photostation4.php
Trust: 0.3
sources:
            
            
            VULHUB: VHN-82617 // 
            
            
            
            BID: 74816 // 
            
            
            
            JVNDB: JVNDB-2015-003208 // 
            
            
            
            CNNVD: CNNVD-201505-525 // 
            
            
            
            NVD: CVE-2015-4656

CREDITS
Han Sahin
Trust: 0.9
sources:
            
            
            BID: 74816 // 
            
            
            
            CNNVD: CNNVD-201505-525

SOURCES
db:VULHUBid:VHN-82617
db:BIDid:74816
db:JVNDBid:JVNDB-2015-003208
db:CNNVDid:CNNVD-201505-525
db:NVDid:CVE-2015-4656

LAST UPDATE DATE
2025-04-13T23:09:49.791000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-82617date:2016-11-28T00:00:00
db:BIDid:74816date:2015-07-15T00:38:00
db:JVNDBid:JVNDB-2015-003208date:2015-06-22T00:00:00
db:CNNVDid:CNNVD-201505-525date:2015-06-19T00:00:00
db:NVDid:CVE-2015-4656date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:VULHUBid:VHN-82617date:2015-06-18T00:00:00
db:BIDid:74816date:2015-05-25T00:00:00
db:JVNDBid:JVNDB-2015-003208date:2015-06-22T00:00:00
db:CNNVDid:CNNVD-201505-525date:2015-05-26T00:00:00
db:NVDid:CVE-2015-4656date:2015-06-18T18:59:09.007