Sign-up

ID

VAR-202011-0781


CVE

CVE-2020-27659


TITLE

Synology SafeAccess  Cross-site Scripting Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-013640

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter. Synology SafeAccess Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Synology SafeAccess is a device from China Synology Technology Co., Ltd. that can configure the security of the network environment. The device can monitor users' Internet behavior, set Internet schedules and time quotas, apply web filters to protect specific users, and protect all devices on the local network by blocking dangerous websites

Trust: 1.71

sources: NVD: CVE-2020-27659 // JVNDB: JVNDB-2020-013640 // VULHUB: VHN-371568

AFFECTED PRODUCTS

vendor:synologymodel:safeaccessscope:ltversion:1.2.3-0234

Trust: 1.0

vendor:synologymodel:safe accessscope:eqversion:1.2.3-0234

Trust: 0.8

vendor:synologymodel:safe accessscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-013640 // NVD: CVE-2020-27659

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-27659
value: MEDIUM

Trust: 1.0

security@synology.com: CVE-2020-27659
value: HIGH

Trust: 1.0

NVD: CVE-2020-27659
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-202011-2089
value: MEDIUM

Trust: 0.6

VULHUB: VHN-371568
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-27659
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-371568
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-27659
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.7
impactScore: 2.7
version: 3.1

Trust: 1.0

security@synology.com: CVE-2020-27659
baseSeverity: HIGH
baseScore: 8.4
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.7
impactScore: 6.0
version: 3.1

Trust: 1.0

NVD: CVE-2020-27659
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-371568 // JVNDB: JVNDB-2020-013640 // CNNVD: CNNVD-202011-2089 // NVD: CVE-2020-27659 // NVD: CVE-2020-27659

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.1

problemtype:Cross-site scripting (CWE-79) [NVD Evaluation ]

Trust: 0.8

sources: VULHUB: VHN-371568 // JVNDB: JVNDB-2020-013640 // NVD: CVE-2020-27659

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202011-2089

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202011-2089

PATCH

title:Synology-SA-20url:https://www.synology.com/ja-jp/security/advisory/Synology_SA_20_25

Trust: 0.8

title:Synology SafeAccess Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=135614

Trust: 0.6

sources: JVNDB: JVNDB-2020-013640 // CNNVD: CNNVD-202011-2089

EXTERNAL IDS

db:NVDid:CVE-2020-27659

Trust: 2.5

db:TALOSid:TALOS-2020-1087

Trust: 1.7

db:JVNDBid:JVNDB-2020-013640

Trust: 0.8

db:CNNVDid:CNNVD-202011-2089

Trust: 0.7

db:CNVDid:CNVD-2020-68427

Trust: 0.1

db:VULHUBid:VHN-371568

Trust: 0.1

sources: VULHUB: VHN-371568 // JVNDB: JVNDB-2020-013640 // CNNVD: CNNVD-202011-2089 // NVD: CVE-2020-27659

REFERENCES

url:https://www.synology.com/security/advisory/synology_sa_20_25

Trust: 1.7

url:https://github.com/thomasfady/synology_sa_20_25

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2020-27659

Trust: 1.4

url:https://www.talosintelligence.com/vulnerability_reports/talos-2020-1087

Trust: 1.1

url:https://talosintelligence.com/vulnerability_reports/talos-2020-1087

Trust: 0.6

sources: VULHUB: VHN-371568 // JVNDB: JVNDB-2020-013640 // CNNVD: CNNVD-202011-2089 // NVD: CVE-2020-27659

SOURCES

db:VULHUBid:VHN-371568
db:JVNDBid:JVNDB-2020-013640
db:CNNVDid:CNNVD-202011-2089
db:NVDid:CVE-2020-27659

LAST UPDATE DATE

2024-11-23T22:11:15.519000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-371568date:2022-04-12T00:00:00
db:JVNDBid:JVNDB-2020-013640date:2021-07-08T09:03:00
db:CNNVDid:CNNVD-202011-2089date:2020-12-23T00:00:00
db:NVDid:CVE-2020-27659date:2024-11-21T05:21:36.743

SOURCES RELEASE DATE

db:VULHUBid:VHN-371568date:2020-11-30T00:00:00
db:JVNDBid:JVNDB-2020-013640date:2021-07-08T00:00:00
db:CNNVDid:CNNVD-202011-2089date:2020-11-30T00:00:00
db:NVDid:CVE-2020-27659date:2020-11-30T10:15:10.720