Sign-up

ID

VAR-201712-0199


CVE

CVE-2017-15892


TITLE

Synology Chat Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-011891

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Slash Command Creator in Synology Chat before 2.0.0-1124 allow remote authenticated users to inject arbitrary web script or HTML via (1) COMMAND, (2) COMMANDS INSTRUCTION, or (3) DESCRIPTION parameter. Synology Chat Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology Chat is an instant chat tool developed by Synology. Slash Command Creator is one of the Slash command tools

Trust: 1.71

sources: NVD: CVE-2017-15892 // JVNDB: JVNDB-2017-011891 // VULHUB: VHN-106760

AFFECTED PRODUCTS

vendor:synologymodel:chatscope:ltversion:2.0.0-1124

Trust: 1.8

sources: JVNDB: JVNDB-2017-011891 // NVD: CVE-2017-15892

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-15892
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-15892
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201710-1149
value: MEDIUM

Trust: 0.6

VULHUB: VHN-106760
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2017-15892
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-106760
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-15892
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-106760 // JVNDB: JVNDB-2017-011891 // CNNVD: CNNVD-201710-1149 // NVD: CVE-2017-15892

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-106760 // JVNDB: JVNDB-2017-011891 // NVD: CVE-2017-15892

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201710-1149

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201710-1149

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-011891

PATCH
title:Synology-SA-17:78 Chaturl:https://www.synology.com/en-global/support/security/Synology_SA_17_78
Trust: 0.8
title:Synology Chat Slash Command Creator Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=100122
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-011891 // 
            
            
            
            CNNVD: CNNVD-201710-1149

EXTERNAL IDS
db:NVDid:CVE-2017-15892
Trust: 2.5
db:JVNDBid:JVNDB-2017-011891
Trust: 0.8
db:CNNVDid:CNNVD-201710-1149
Trust: 0.7
db:VULHUBid:VHN-106760
Trust: 0.1
sources:
            
            
            VULHUB: VHN-106760 // 
            
            
            
            JVNDB: JVNDB-2017-011891 // 
            
            
            
            CNNVD: CNNVD-201710-1149 // 
            
            
            
            NVD: CVE-2017-15892

REFERENCES
url:https://www.synology.com/en-global/support/security/synology_sa_17_78
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-15892
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-15892
Trust: 0.8
sources:
            
            
            VULHUB: VHN-106760 // 
            
            
            
            JVNDB: JVNDB-2017-011891 // 
            
            
            
            CNNVD: CNNVD-201710-1149 // 
            
            
            
            NVD: CVE-2017-15892

SOURCES
db:VULHUBid:VHN-106760
db:JVNDBid:JVNDB-2017-011891
db:CNNVDid:CNNVD-201710-1149
db:NVDid:CVE-2017-15892

LAST UPDATE DATE
2025-04-20T23:39:55.507000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-106760date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2017-011891date:2018-02-02T00:00:00
db:CNNVDid:CNNVD-201710-1149date:2019-10-17T00:00:00
db:NVDid:CVE-2017-15892date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-106760date:2017-12-28T00:00:00
db:JVNDBid:JVNDB-2017-011891date:2018-02-02T00:00:00
db:CNNVDid:CNNVD-201710-1149date:2017-10-27T00:00:00
db:NVDid:CVE-2017-15892date:2017-12-28T15:29:00.257