Sign-up

ID

VAR-201906-0947


CVE

CVE-2019-11828


TITLE

Synology Office Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-005856

DESCRIPTION

Cross-site scripting (XSS) vulnerability in Chart in Synology Office before 3.1.4-2771 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Synology Office Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Synology Office is a set of web-based office software system developed by Synology Corporation of Taiwan, China. The system has features such as creating documents and spreadsheets online, and importing local files. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

Trust: 1.71

sources: NVD: CVE-2019-11828 // JVNDB: JVNDB-2019-005856 // VULHUB: VHN-143513

AFFECTED PRODUCTS

vendor:synologymodel:officescope:ltversion:3.1.4-2771

Trust: 1.8

sources: JVNDB: JVNDB-2019-005856 // NVD: CVE-2019-11828

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-11828
value: MEDIUM

Trust: 1.0

security@synology.com: CVE-2019-11828
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-11828
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201906-1155
value: MEDIUM

Trust: 0.6

VULHUB: VHN-143513
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2019-11828
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-143513
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-11828
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.3
impactScore: 2.7
version: 3.1

Trust: 1.0

security@synology.com: CVE-2019-11828
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 1.3
impactScore: 3.7
version: 3.1

Trust: 1.0

NVD: CVE-2019-11828
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-143513 // JVNDB: JVNDB-2019-005856 // CNNVD: CNNVD-201906-1155 // NVD: CVE-2019-11828 // NVD: CVE-2019-11828

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-143513 // JVNDB: JVNDB-2019-005856 // NVD: CVE-2019-11828

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-1155

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201906-1155

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-005856

PATCH
title:Synology-SA-19:11 Officeurl:https://www.synology.com/ja-jp/security/advisory/Synology_SA_19_11
Trust: 0.8
title:Synology Office Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=94244
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-005856 // 
            
            
            
            CNNVD: CNNVD-201906-1155

EXTERNAL IDS
db:NVDid:CVE-2019-11828
Trust: 2.5
db:JVNDBid:JVNDB-2019-005856
Trust: 0.8
db:CNNVDid:CNNVD-201906-1155
Trust: 0.7
db:VULHUBid:VHN-143513
Trust: 0.1
sources:
            
            
            VULHUB: VHN-143513 // 
            
            
            
            JVNDB: JVNDB-2019-005856 // 
            
            
            
            CNNVD: CNNVD-201906-1155 // 
            
            
            
            NVD: CVE-2019-11828

REFERENCES
url:https://www.synology.com/security/advisory/synology_sa_19_11
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-11828
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11828
Trust: 0.8
sources:
            
            
            VULHUB: VHN-143513 // 
            
            
            
            JVNDB: JVNDB-2019-005856 // 
            
            
            
            CNNVD: CNNVD-201906-1155 // 
            
            
            
            NVD: CVE-2019-11828

SOURCES
db:VULHUBid:VHN-143513
db:JVNDBid:JVNDB-2019-005856
db:CNNVDid:CNNVD-201906-1155
db:NVDid:CVE-2019-11828

LAST UPDATE DATE
2024-11-23T23:11:47.693000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-143513date:2023-01-30T00:00:00
db:JVNDBid:JVNDB-2019-005856date:2019-07-03T00:00:00
db:CNNVDid:CNNVD-201906-1155date:2019-07-02T00:00:00
db:NVDid:CVE-2019-11828date:2024-11-21T04:21:50.600

SOURCES RELEASE DATE
db:VULHUBid:VHN-143513date:2019-06-30T00:00:00
db:JVNDBid:JVNDB-2019-005856date:2019-07-03T00:00:00
db:CNNVDid:CNNVD-201906-1155date:2019-06-30T00:00:00
db:NVDid:CVE-2019-11828date:2019-06-30T15:15:09.870