Details of VAR-201807-1691

ID

VAR-201807-1691

CVE

CVE-2018-8928

TITLE

Synology CardDAV Server Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-006524

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Address Book Editor in Synology CardDAV Server before 6.0.8-0086 allows remote authenticated users to inject arbitrary web script or HTML via the (1) family_name, (2) given_name, or (3) additional_name parameter. Synology CardDAV Server Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology CardDAV Server is an application from Synology for synchronizing contacts. Address Book Editor is one of the address book editors

Trust: 1.71

sources: NVD: CVE-2018-8928 // JVNDB: JVNDB-2018-006524 // VULHUB: VHN-138960

AFFECTED PRODUCTS

vendor:

synology

model:

carddav server

scope:

version:

6.0.8-0086

Trust: 1.8

sources: JVNDB: JVNDB-2018-006524 // NVD: CVE-2018-8928

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-8928
value:	MEDIUM
Trust: 1.0
security@synology.com:	CVE-2018-8928
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-8928
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201807-351
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-138960
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-8928
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-138960
severity:	LOW
baseScore:	3.5
vectorString:	AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	6.8
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-8928
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.3
impactScore:	2.7
version:	3.0
Trust: 1.8
security@synology.com:	CVE-2018-8928
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.3
impactScore:	3.7
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-138960 // JVNDB: JVNDB-2018-006524 // CNNVD: CNNVD-201807-351 // NVD: CVE-2018-8928 // NVD: CVE-2018-8928

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.9

sources: VULHUB: VHN-138960 // JVNDB: JVNDB-2018-006524 // NVD: CVE-2018-8928

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-351

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201807-351

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-006524

PATCH

title:	Synology-SA-18:10	url:	https://www.synology.com/en-global/support/security/Synology_SA_18_10	Trust: 0.8
title:	Synology CardDAV Server Address Book Editor Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81779	Trust: 0.6

sources: JVNDB: JVNDB-2018-006524 // CNNVD: CNNVD-201807-351

EXTERNAL IDS

db:	NVD	id:	CVE-2018-8928	Trust: 2.5
db:	JVNDB	id:	JVNDB-2018-006524	Trust: 0.8
db:	CNNVD	id:	CNNVD-201807-351	Trust: 0.7
db:	VULHUB	id:	VHN-138960	Trust: 0.1

sources: VULHUB: VHN-138960 // JVNDB: JVNDB-2018-006524 // CNNVD: CNNVD-201807-351 // NVD: CVE-2018-8928

REFERENCES

url:	https://www.synology.com/en-global/support/security/synology_sa_18_10	Trust: 1.7
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8928	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8928	Trust: 0.8

sources: VULHUB: VHN-138960 // JVNDB: JVNDB-2018-006524 // CNNVD: CNNVD-201807-351 // NVD: CVE-2018-8928

SOURCES

db:	VULHUB	id:	VHN-138960
db:	JVNDB	id:	JVNDB-2018-006524
db:	CNNVD	id:	CNNVD-201807-351
db:	NVD	id:	CVE-2018-8928

LAST UPDATE DATE

2024-11-23T22:45:15.909000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-138960	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-006524	date:	2018-08-24T00:00:00
db:	CNNVD	id:	CNNVD-201807-351	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-8928	date:	2024-11-21T04:14:37.347

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-138960	date:	2018-07-05T00:00:00
db:	JVNDB	id:	JVNDB-2018-006524	date:	2018-08-24T00:00:00
db:	CNNVD	id:	CNNVD-201807-351	date:	2018-07-06T00:00:00
db:	NVD	id:	CVE-2018-8928	date:	2018-07-05T13:29:00.680