Sign-up

ID

VAR-201712-0381


CVE

CVE-2017-16768


TITLE

Synology MailPlus Server Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-011768

DESCRIPTION

Cross-site scripting (XSS) vulnerability in User Policy editor in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary HTML via the name parameter. Synology MailPlus Server Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology MailPlus Server is an email service suite from Synology. The product supports the management of user accounts, mail records, etc. User Policy editor is one of the user policy editors

Trust: 1.71

sources: NVD: CVE-2017-16768 // JVNDB: JVNDB-2017-011768 // VULHUB: VHN-107723

AFFECTED PRODUCTS

vendor:synologymodel:mailplus serverscope:ltversion:1.4.0-0415

Trust: 1.8

sources: JVNDB: JVNDB-2017-011768 // NVD: CVE-2017-16768

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-16768
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-16768
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201712-961
value: LOW

Trust: 0.6

VULHUB: VHN-107723
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2017-16768
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-107723
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-16768
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.7
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-107723 // JVNDB: JVNDB-2017-011768 // CNNVD: CNNVD-201712-961 // NVD: CVE-2017-16768

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-107723 // JVNDB: JVNDB-2017-011768 // NVD: CVE-2017-16768

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201712-961

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201712-961

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-011768

PATCH
title:Synology-SA-17:81url:https://www.synology.com/en-global/support/security/Synology_SA_17_81
Trust: 0.8
title:Synology MailPlus Server User Policy Fixes for editor cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77350
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-011768 // 
            
            
            
            CNNVD: CNNVD-201712-961

EXTERNAL IDS
db:NVDid:CVE-2017-16768
Trust: 2.5
db:JVNDBid:JVNDB-2017-011768
Trust: 0.8
db:CNNVDid:CNNVD-201712-961
Trust: 0.6
db:VULHUBid:VHN-107723
Trust: 0.1
sources:
            
            
            VULHUB: VHN-107723 // 
            
            
            
            JVNDB: JVNDB-2017-011768 // 
            
            
            
            CNNVD: CNNVD-201712-961 // 
            
            
            
            NVD: CVE-2017-16768

REFERENCES
url:https://www.synology.com/en-global/support/security/synology_sa_17_81
Trust: 1.7
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16768
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-16768
Trust: 0.8
sources:
            
            
            VULHUB: VHN-107723 // 
            
            
            
            JVNDB: JVNDB-2017-011768 // 
            
            
            
            CNNVD: CNNVD-201712-961 // 
            
            
            
            NVD: CVE-2017-16768

SOURCES
db:VULHUBid:VHN-107723
db:JVNDBid:JVNDB-2017-011768
db:CNNVDid:CNNVD-201712-961
db:NVDid:CVE-2017-16768

LAST UPDATE DATE
2025-04-20T23:03:54.736000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-107723date:2018-01-10T00:00:00
db:JVNDBid:JVNDB-2017-011768date:2018-01-25T00:00:00
db:CNNVDid:CNNVD-201712-961date:2017-12-28T00:00:00
db:NVDid:CVE-2017-16768date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:VULHUBid:VHN-107723date:2017-12-27T00:00:00
db:JVNDBid:JVNDB-2017-011768date:2018-01-25T00:00:00
db:CNNVDid:CNNVD-201712-961date:2017-12-28T00:00:00
db:NVDid:CVE-2017-16768date:2017-12-27T17:29:00.323