ID
VAR-201509-0201
CVE
CVE-2015-6909
TITLE
Synology Download Station Cross-site scripting vulnerability in the ability to create download tasks by uploading other files
Trust: 0.8
sources:
JVNDB: JVNDB-2015-004686
DESCRIPTION
Cross-site scripting (XSS) vulnerability in the "Create download task via file upload" feature in Synology Download Station before 3.5-2962 allows remote attackers to inject arbitrary web script or HTML via the name element in the Info dictionary in a torrent file. Synology Download Station is a set of web-based download applications from Synology. The program supports protocols such as BT, FTP and HTTP to download files
Trust: 1.8
sources:
NVD: CVE-2015-6909 //
JVNDB: JVNDB-2015-004686 //
VULHUB: VHN-84870 //
VULMON: CVE-2015-6909
AFFECTED PRODUCTS
| vendor: | synology | model: | download station | scope: | lte | version: | 3.5-2956 | Trust: 1.0 |
| vendor: | synology | model: | download station | scope: | lt | version: | 3.5-2962 | Trust: 0.8 |
| vendor: | synology | model: | download station | scope: | eq | version: | 3.5-2956 | Trust: 0.6 |
sources:
JVNDB: JVNDB-2015-004686 //
CNNVD: CNNVD-201509-149 //
NVD: CVE-2015-6909
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
sources:
VULHUB: VHN-84870 //
VULMON: CVE-2015-6909 //
JVNDB: JVNDB-2015-004686 //
CNNVD: CNNVD-201509-149 //
NVD: CVE-2015-6909
PROBLEMTYPE DATA
| problemtype: | CWE-79 | Trust: 1.9 |
sources:
VULHUB: VHN-84870 //
JVNDB: JVNDB-2015-004686 //
NVD: CVE-2015-6909
THREAT TYPE
remote
Trust: 0.6
sources:
CNNVD: CNNVD-201509-149
TYPE
xss
Trust: 0.7
sources:
PACKETSTORM: 133520 //
CNNVD: CNNVD-201509-149
CONFIGURATIONS
sources:
JVNDB: JVNDB-2015-004686
PATCH
| title: | Release Notes for Download Station | url: | https://www.synology.com/en-global/releaseNote/DownloadStation?model=DS715 | Trust: 0.8 |
| title: | Synology Product Security Advisory | url: | https://www.synology.com/en-global/support/security/Download_Station_3_5_2962 | Trust: 0.8 |
sources:
JVNDB: JVNDB-2015-004686
EXTERNAL IDS
| db: | NVD | id: | CVE-2015-6909 | Trust: 2.6 |
| db: | PACKETSTORM | id: | 133520 | Trust: 1.9 |
| db: | JVNDB | id: | JVNDB-2015-004686 | Trust: 0.8 |
| db: | CNNVD | id: | CNNVD-201509-149 | Trust: 0.7 |
| db: | VULHUB | id: | VHN-84870 | Trust: 0.1 |
| db: | VULMON | id: | CVE-2015-6909 | Trust: 0.1 |
sources:
VULHUB: VHN-84870 //
VULMON: CVE-2015-6909 //
JVNDB: JVNDB-2015-004686 //
PACKETSTORM: 133520 //
CNNVD: CNNVD-201509-149 //
NVD: CVE-2015-6909
REFERENCES
| url: | https://www.synology.com/en-global/releasenote/downloadstation?model=ds715 | Trust: 1.8 |
| url: | https://www.synology.com/en-global/support/security/download_station_3_5_2962 | Trust: 1.8 |
| url: | http://seclists.org/fulldisclosure/2015/sep/32 | Trust: 1.8 |
| url: | http://packetstormsecurity.com/files/133520/synology-download-station-3.5-2956-3.5-2962-cross-site-scripting.html | Trust: 1.8 |
| url: | https://www.securify.nl/advisory/sfy20150809/multiple_cross_site_scripting_vulnerabilities_in_synology_download_station.html | Trust: 1.8 |
| url: | http://www.securityfocus.com/archive/1/536428/100/0/threaded | Trust: 1.2 |
| url: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6909 | Trust: 0.8 |
| url: | http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6909 | Trust: 0.8 |
| url: | http://www.securityfocus.com/archive/1/archive/1/536428/100/0/threaded | Trust: 0.6 |
| url: | https://cwe.mitre.org/data/definitions/79.html | Trust: 0.1 |
| url: | https://nvd.nist.gov | Trust: 0.1 |
sources:
VULHUB: VHN-84870 //
VULMON: CVE-2015-6909 //
JVNDB: JVNDB-2015-004686 //
CNNVD: CNNVD-201509-149 //
NVD: CVE-2015-6909
CREDITS
Securify B.V., Han Sahin
Trust: 0.1
sources:
PACKETSTORM: 133520
SOURCES
| db: | VULHUB | id: | VHN-84870 |
| db: | VULMON | id: | CVE-2015-6909 |
| db: | JVNDB | id: | JVNDB-2015-004686 |
| db: | PACKETSTORM | id: | 133520 |
| db: | CNNVD | id: | CNNVD-201509-149 |
| db: | NVD | id: | CVE-2015-6909 |
LAST UPDATE DATE
2025-04-13T23:21:15.612000+00:00
SOURCES UPDATE DATE
| db: | VULHUB | id: | VHN-84870 | date: | 2018-10-09T00:00:00 |
| db: | VULMON | id: | CVE-2015-6909 | date: | 2018-10-09T00:00:00 |
| db: | JVNDB | id: | JVNDB-2015-004686 | date: | 2015-09-15T00:00:00 |
| db: | CNNVD | id: | CNNVD-201509-149 | date: | 2015-09-14T00:00:00 |
| db: | NVD | id: | CVE-2015-6909 | date: | 2025-04-12T10:46:40.837 |
SOURCES RELEASE DATE
| db: | VULHUB | id: | VHN-84870 | date: | 2015-09-11T00:00:00 |
| db: | VULMON | id: | CVE-2015-6909 | date: | 2015-09-11T00:00:00 |
| db: | JVNDB | id: | JVNDB-2015-004686 | date: | 2015-09-15T00:00:00 |
| db: | PACKETSTORM | id: | 133520 | date: | 2015-09-10T00:09:22 |
| db: | CNNVD | id: | CNNVD-201509-149 | date: | 2015-09-14T00:00:00 |
| db: | NVD | id: | CVE-2015-6909 | date: | 2015-09-11T16:59:14.127 |