Details of VAR-202011-0782

ID

VAR-202011-0782

CVE

CVE-2020-27660

TITLE

Synology SafeAccess In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-013641

DESCRIPTION

SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter. Synology SafeAccess Has SQL An injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Synology SafeAccess is a device from China Synology Technology Co., Ltd. that can configure the security of the network environment. The device can monitor users' Internet behavior, set Internet schedules and time quotas, apply web filters to protect specific users, and protect all devices on the local network by blocking dangerous websites

Trust: 1.71

sources: NVD: CVE-2020-27660 // JVNDB: JVNDB-2020-013641 // VULHUB: VHN-371569

AFFECTED PRODUCTS

vendor:	synology	model:	safeaccess	scope:	lt	version:	1.2.3-0234	Trust: 1.0
vendor:	synology	model:	safe access	scope:	eq	version:	1.2.3-0234	Trust: 0.8
vendor:	synology	model:	safe access	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-013641 // NVD: CVE-2020-27660

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-27660
value:	CRITICAL
Trust: 1.0
security@synology.com:	CVE-2020-27660
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2020-27660
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202011-2088
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-371569
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2020-27660
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-371569
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-27660
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
security@synology.com:	CVE-2020-27660
baseSeverity:	CRITICAL
baseScore:	9.6
vectorString:	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2020-27660
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-371569 // JVNDB: JVNDB-2020-013641 // CNNVD: CNNVD-202011-2088 // NVD: CVE-2020-27660 // NVD: CVE-2020-27660

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.1
problemtype:	SQL injection (CWE-89) [NVD Evaluation ]	Trust: 0.8

sources: VULHUB: VHN-371569 // JVNDB: JVNDB-2020-013641 // NVD: CVE-2020-27660

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202011-2088

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202011-2088

PATCH

title:	Synology-SA-20	url:	https://www.synology.com/ja-jp/security/advisory/Synology_SA_20_25	Trust: 0.8
title:	Synology SafeAccess SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=137132	Trust: 0.6

sources: JVNDB: JVNDB-2020-013641 // CNNVD: CNNVD-202011-2088

EXTERNAL IDS

db:	NVD	id:	CVE-2020-27660	Trust: 2.5
db:	TALOS	id:	TALOS-2020-1087	Trust: 1.7
db:	JVNDB	id:	JVNDB-2020-013641	Trust: 0.8
db:	CNNVD	id:	CNNVD-202011-2088	Trust: 0.7
db:	CNVD	id:	CNVD-2020-68544	Trust: 0.1
db:	VULHUB	id:	VHN-371569	Trust: 0.1

sources: VULHUB: VHN-371569 // JVNDB: JVNDB-2020-013641 // CNNVD: CNNVD-202011-2088 // NVD: CVE-2020-27660

REFERENCES

url:	https://www.synology.com/security/advisory/synology_sa_20_25	Trust: 1.7
url:	https://github.com/thomasfady/synology_sa_20_25	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-27660	Trust: 1.4
url:	https://www.talosintelligence.com/vulnerability_reports/talos-2020-1087	Trust: 1.1
url:	https://talosintelligence.com/vulnerability_reports/talos-2020-1087	Trust: 0.6

sources: VULHUB: VHN-371569 // JVNDB: JVNDB-2020-013641 // CNNVD: CNNVD-202011-2088 // NVD: CVE-2020-27660

SOURCES

db:	VULHUB	id:	VHN-371569
db:	JVNDB	id:	JVNDB-2020-013641
db:	CNNVD	id:	CNNVD-202011-2088
db:	NVD	id:	CVE-2020-27660

LAST UPDATE DATE

2024-11-23T22:11:15.543000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-371569	date:	2022-04-12T00:00:00
db:	JVNDB	id:	JVNDB-2020-013641	date:	2021-07-08T09:03:00
db:	CNNVD	id:	CNNVD-202011-2088	date:	2020-12-23T00:00:00
db:	NVD	id:	CVE-2020-27660	date:	2024-11-21T05:21:36.873

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-371569	date:	2020-11-30T00:00:00
db:	JVNDB	id:	JVNDB-2020-013641	date:	2021-07-08T00:00:00
db:	CNNVD	id:	CNNVD-202011-2088	date:	2020-11-30T00:00:00
db:	NVD	id:	CVE-2020-27660	date:	2020-11-30T10:15:11.237