Details of VAR-201806-1562

ID

VAR-201806-1562

CVE

CVE-2018-8923

TITLE

Synology File Station Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-005919

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology File Station before 1.1.4-0122 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments. Synology File Station Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology File Station is a suite of file management tools from Synology. This tool enables users to access files on Synology NAS devices via the web. Attachment Preview is one of the attachment preview components

Trust: 1.71

sources: NVD: CVE-2018-8923 // JVNDB: JVNDB-2018-005919 // VULHUB: VHN-138955

AFFECTED PRODUCTS

vendor:	synology	model:	file station	scope:	lt	version:	1.1.4-0122	Trust: 1.8
vendor:	synology	model:	file station	scope:	eq	version:	1.0.0-0039	Trust: 0.6
vendor:	synology	model:	file station	scope:	eq	version:	1.1.1-0099	Trust: 0.6
vendor:	synology	model:	file station	scope:	eq	version:	1.1.1-0103	Trust: 0.6
vendor:	synology	model:	file station	scope:	eq	version:	1.1.1-0095	Trust: 0.6
vendor:	synology	model:	file station	scope:	eq	version:	1.0.1-0046	Trust: 0.6
vendor:	synology	model:	file station	scope:	eq	version:	1.1.2-0115	Trust: 0.6
vendor:	synology	model:	file station	scope:	eq	version:	1.0.0-0027	Trust: 0.6
vendor:	synology	model:	file station	scope:	eq	version:	1.1.0-0075	Trust: 0.6
vendor:	synology	model:	file station	scope:	eq	version:	1.1.1-0110	Trust: 0.6
vendor:	synology	model:	file station	scope:	eq	version:	1.0.2-0049	Trust: 0.6

sources: JVNDB: JVNDB-2018-005919 // CNNVD: CNNVD-201806-327 // NVD: CVE-2018-8923

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-8923
value:	MEDIUM
Trust: 1.0
security@synology.com:	CVE-2018-8923
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-8923
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201806-327
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-138955
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-8923
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-138955
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-8923
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.0
Trust: 1.8
security@synology.com:	CVE-2018-8923
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.3
impactScore:	3.7
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-138955 // JVNDB: JVNDB-2018-005919 // CNNVD: CNNVD-201806-327 // NVD: CVE-2018-8923 // NVD: CVE-2018-8923

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-138955 // JVNDB: JVNDB-2018-005919 // NVD: CVE-2018-8923

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-327

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201806-327

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-005919

PATCH

title:	Synology_SA_18_09	url:	https://www.synology.com/zh-tw/support/security/Synology_SA_18_09	Trust: 0.8
title:	Synology File Station Attachment Preview Fixes for component cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=80681	Trust: 0.6

sources: JVNDB: JVNDB-2018-005919 // CNNVD: CNNVD-201806-327

EXTERNAL IDS

db:	NVD	id:	CVE-2018-8923	Trust: 2.5
db:	JVNDB	id:	JVNDB-2018-005919	Trust: 0.8
db:	CNNVD	id:	CNNVD-201806-327	Trust: 0.7
db:	VULHUB	id:	VHN-138955	Trust: 0.1

sources: VULHUB: VHN-138955 // JVNDB: JVNDB-2018-005919 // CNNVD: CNNVD-201806-327 // NVD: CVE-2018-8923

REFERENCES

url:	https://www.synology.com/zh-tw/support/security/synology_sa_18_09	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8923	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8923	Trust: 0.8

sources: VULHUB: VHN-138955 // JVNDB: JVNDB-2018-005919 // CNNVD: CNNVD-201806-327 // NVD: CVE-2018-8923

SOURCES

db:	VULHUB	id:	VHN-138955
db:	JVNDB	id:	JVNDB-2018-005919
db:	CNNVD	id:	CNNVD-201806-327
db:	NVD	id:	CVE-2018-8923

LAST UPDATE DATE

2024-11-23T23:05:05.360000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-138955	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-005919	date:	2018-08-02T00:00:00
db:	CNNVD	id:	CNNVD-201806-327	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-8923	date:	2024-11-21T04:14:36.707

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-138955	date:	2018-06-05T00:00:00
db:	JVNDB	id:	JVNDB-2018-005919	date:	2018-08-02T00:00:00
db:	CNNVD	id:	CNNVD-201806-327	date:	2018-06-06T00:00:00
db:	NVD	id:	CVE-2018-8923	date:	2018-06-05T14:29:00.363