Details of VAR-201806-1563

ID

VAR-201806-1563

CVE

CVE-2018-8924

TITLE

Synology Office Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-005920

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Title Tootip in Synology Office before 3.0.3-2143 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name. Synology Office Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology Office is a set of web-based office software system developed by Synology. The system has features such as creating documents and spreadsheets online, and importing local files. Title Tootip is one of the title prompt components

Trust: 1.8

sources: NVD: CVE-2018-8924 // JVNDB: JVNDB-2018-005920 // VULHUB: VHN-138956 // VULMON: CVE-2018-8924

AFFECTED PRODUCTS

vendor:

synology

model:

office

scope:

version:

3.0.3-2143

Trust: 1.8

sources: JVNDB: JVNDB-2018-005920 // NVD: CVE-2018-8924

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-8924
value:	MEDIUM
Trust: 1.0
security@synology.com:	CVE-2018-8924
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-8924
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201806-326
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-138956
value:	LOW
Trust: 0.1
VULMON:	CVE-2018-8924
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-8924
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-138956
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-8924
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.0
Trust: 1.8
security@synology.com:	CVE-2018-8924
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.3
impactScore:	3.7
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-138956 // VULMON: CVE-2018-8924 // JVNDB: JVNDB-2018-005920 // CNNVD: CNNVD-201806-326 // NVD: CVE-2018-8924 // NVD: CVE-2018-8924

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-138956 // JVNDB: JVNDB-2018-005920 // NVD: CVE-2018-8924

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201806-326

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201806-326

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-005920

PATCH

title:	Synology-SA-18:12	url:	https://www.synology.com/zh-tw/support/security/Synology_SA_18_12	Trust: 0.8
title:	Synology Office Title Tootip Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=80680	Trust: 0.6

sources: JVNDB: JVNDB-2018-005920 // CNNVD: CNNVD-201806-326

EXTERNAL IDS

db:	NVD	id:	CVE-2018-8924	Trust: 2.6
db:	JVNDB	id:	JVNDB-2018-005920	Trust: 0.8
db:	CNNVD	id:	CNNVD-201806-326	Trust: 0.7
db:	VULHUB	id:	VHN-138956	Trust: 0.1
db:	VULMON	id:	CVE-2018-8924	Trust: 0.1

sources: VULHUB: VHN-138956 // VULMON: CVE-2018-8924 // JVNDB: JVNDB-2018-005920 // CNNVD: CNNVD-201806-326 // NVD: CVE-2018-8924

REFERENCES

url:	https://www.synology.com/zh-tw/support/security/synology_sa_18_12	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8924	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8924	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/144404	Trust: 0.1

sources: VULHUB: VHN-138956 // VULMON: CVE-2018-8924 // JVNDB: JVNDB-2018-005920 // CNNVD: CNNVD-201806-326 // NVD: CVE-2018-8924

SOURCES

db:	VULHUB	id:	VHN-138956
db:	VULMON	id:	CVE-2018-8924
db:	JVNDB	id:	JVNDB-2018-005920
db:	CNNVD	id:	CNNVD-201806-326
db:	NVD	id:	CVE-2018-8924

LAST UPDATE DATE

2024-11-23T21:53:00.780000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-138956	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2018-8924	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-005920	date:	2018-08-02T00:00:00
db:	CNNVD	id:	CNNVD-201806-326	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-8924	date:	2024-11-21T04:14:36.833

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-138956	date:	2018-06-05T00:00:00
db:	VULMON	id:	CVE-2018-8924	date:	2018-06-05T00:00:00
db:	JVNDB	id:	JVNDB-2018-005920	date:	2018-08-02T00:00:00
db:	CNNVD	id:	CNNVD-201806-326	date:	2018-06-06T00:00:00
db:	NVD	id:	CVE-2018-8924	date:	2018-06-05T14:29:00.427