CVE-2024-53281 - Vulnerability Details - OpenCVE

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Network WOL functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Synology	Router Manager

No data.

No data.

References

Link	Providers
https://www.synology.com/en-global/security/advisory/Synology_SA_24_09

History

Mon, 09 Dec 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Synology Synology router Manager
CPEs		cpe:2.3:a:synology:router_manager::::::::
Vendors & Products		Synology Synology router Manager
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Dec 2024 04:00:00 +0000

Type	Values Removed	Values Added
Description		Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Network WOL functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
Weaknesses		CWE-79
References		https://www.synology.com/en-global/security/advisory/Synology_SA_24_09
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}`

MITRE

Status: PUBLISHED

Assigner: synology

Published: 2024-12-09T03:30:21.508Z

Updated: 2024-12-09T15:10:13.300Z

Reserved: 2024-11-20T03:43:14.919Z

Link: CVE-2024-53281

Vulnrichment

Updated: 2024-12-09T15:02:24.368Z

NVD

Status : Received

Published: 2024-12-09T04:15:04.793

Modified: 2024-12-09T04:15:04.793

Link: CVE-2024-53281

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-53281", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "state": "PUBLISHED", "assignerShortName": "synology", "dateReserved": "2024-11-20T03:43:14.919Z", "datePublished": "2024-12-09T03:30:21.508Z", "dateUpdated": "2024-12-09T15:10:13.300Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "Synology", "product": "Synology Router Manager (SRM)", "versions": [{"version": "1.3", "status": "affected", "lessThan": "1.3.1-9346-10", "versionType": "semver"}, {"version": "0", "status": "unknown", "lessThan": "1.3", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Network WOL functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}}], "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_09", "name": "Synology-SA-24:09 SRM", "tags": ["vendor-advisory"]}], "credits": [{"lang": "en", "value": "Only Hack in Cave (tr4ce(Jinho Ju), neko_hat(Dohwan Kim), tw0n3(Han Lee), Hc0wl(GangMin Kim)) (https://github.com/Team-OHiC)", "type": "finder"}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2024-12-09T03:30:21.508Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-53281", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-09T14:57:59.773190Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:synology:router_manager:*:*:*:*:*:*:*:*"], "vendor": "synology", "product": "router_manager", "versions": [{"status": "unknown", "version": "0", "lessThan": "1.3", "versionType": "custom"}, {"status": "affected", "version": "1.3", "lessThan": "1.3.1-9346-10", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:synology:router_manager:*:*:*:*:*:*:*:*"], "vendor": "synology", "product": "router_manager", "versions": [{"status": "unknown", "version": "0", "lessThan": "1.3", "versionType": "custom"}, {"status": "affected", "version": "1.3", "lessThan": "1.3.1-9346-10", "versionType": "custom"}], "defaultStatus": "unknown"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-09T15:10:13.300Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-53281", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-09T14:57:59.773190Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:synology:router_manager:*:*:*:*:*:*:*:*"], "vendor": "synology", "product": "router_manager", "versions": [{"status": "unknown", "version": "0", "lessThan": "1.3", "versionType": "custom"}, {"status": "affected", "version": "1.3", "lessThan": "1.3.1-9346-10", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:synology:router_manager:*:*:*:*:*:*:*:*"], "vendor": "synology", "product": "router_manager", "versions": [{"status": "unknown", "version": "0", "lessThan": "1.3", "versionType": "custom"}, {"status": "affected", "version": "1.3", "lessThan": "1.3.1-9346-10", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-09T15:02:24.368Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Only Hack in Cave (tr4ce(Jinho Ju), neko_hat(Dohwan Kim), tw0n3(Han Lee), Hc0wl(GangMin Kim)) (https://github.com/Team-OHiC)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Synology", "product": "Synology Router Manager (SRM)", "versions": [{"status": "affected", "version": "1.3", "lessThan": "1.3.1-9346-10", "versionType": "semver"}, {"status": "unknown", "version": "0", "lessThan": "1.3", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_09", "name": "Synology-SA-24:09 SRM", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Network WOL functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology", "dateUpdated": "2024-12-09T03:30:21.508Z"}}}, "cveMetadata": {"cveId": "CVE-2024-53281", "state": "PUBLISHED", "dateUpdated": "2024-12-09T15:10:13.300Z", "dateReserved": "2024-11-20T03:43:14.919Z", "assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "datePublished": "2024-12-09T03:30:21.508Z", "assignerShortName": "synology"}, "dataVersion": "5.1"}