Sign-up

ID

VAR-201712-0197


CVE

CVE-2017-15890


TITLE

Synology MailPlus Server Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-011498

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Disclaimer in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary web script or HTML via the NAME parameter. Synology MailPlus Server Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology MailPlus Server is an email service suite from Synology. The product supports the management of user accounts, mail records, etc. Disclaimer is one of the disclaimer modules

Trust: 1.71

sources: NVD: CVE-2017-15890 // JVNDB: JVNDB-2017-011498 // VULHUB: VHN-106758

AFFECTED PRODUCTS

vendor:synologymodel:mailplus serverscope:ltversion:1.4.0-0415

Trust: 1.8

sources: JVNDB: JVNDB-2017-011498 // NVD: CVE-2017-15890

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-15890
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-15890
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201710-1151
value: MEDIUM

Trust: 0.6

VULHUB: VHN-106758
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2017-15890
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-106758
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-15890
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.7
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-106758 // JVNDB: JVNDB-2017-011498 // CNNVD: CNNVD-201710-1151 // NVD: CVE-2017-15890

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-106758 // JVNDB: JVNDB-2017-011498 // NVD: CVE-2017-15890

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-1151

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201710-1151

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-011498

PATCH
title:Synology-SA-17:75url:https://www.synology.com/en-global/support/security/Synology_SA_17_75
Trust: 0.8
title:Synology MailPlus Server Disclaimer Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=100123
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-011498 // 
            
            
            
            CNNVD: CNNVD-201710-1151

EXTERNAL IDS
db:NVDid:CVE-2017-15890
Trust: 2.5
db:JVNDBid:JVNDB-2017-011498
Trust: 0.8
db:CNNVDid:CNNVD-201710-1151
Trust: 0.7
db:VULHUBid:VHN-106758
Trust: 0.1
sources:
            
            
            VULHUB: VHN-106758 // 
            
            
            
            JVNDB: JVNDB-2017-011498 // 
            
            
            
            CNNVD: CNNVD-201710-1151 // 
            
            
            
            NVD: CVE-2017-15890

REFERENCES
url:https://www.synology.com/en-global/support/security/synology_sa_17_75
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-15890
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-15890
Trust: 0.8
sources:
            
            
            VULHUB: VHN-106758 // 
            
            
            
            JVNDB: JVNDB-2017-011498 // 
            
            
            
            CNNVD: CNNVD-201710-1151 // 
            
            
            
            NVD: CVE-2017-15890

SOURCES
db:VULHUBid:VHN-106758
db:JVNDBid:JVNDB-2017-011498
db:CNNVDid:CNNVD-201710-1151
db:NVDid:CVE-2017-15890

LAST UPDATE DATE
2025-04-20T23:29:31.033000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-106758date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2017-011498date:2018-01-17T00:00:00
db:CNNVDid:CNNVD-201710-1151date:2019-10-17T00:00:00
db:NVDid:CVE-2017-15890date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-106758date:2017-12-15T00:00:00
db:JVNDBid:JVNDB-2017-011498date:2018-01-17T00:00:00
db:CNNVDid:CNNVD-201710-1151date:2017-10-27T00:00:00
db:NVDid:CVE-2017-15890date:2017-12-15T15:29:00.197