Vulnerability CVE-2010-3684


Published: 2010-09-29   Modified: 2012-02-13

Description:
The FTP authentication module in Synology Disk Station 2.x logs passwords to the web application interface in cases of incorrect login attempts, which allows local users to obtain sensitive information by reading a log, a different vulnerability than CVE-2010-2453.

See advisories in our WLB2 database:
Topic
Author
Date
Low
Synology Disk Station Web commands injection
Rodrigo Branco
02.10.2010

Type:

CWE-255

(Credentials Management)

Vendor: Synology
Product: DSM 
Version:
2.3-1161
2.3-1157
2.3-1144
2.3-1141
2.3-1139
2.2-1045
2.2-1042
2.2-1041
2.2-0942

CVSS2 => (AV:L/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
2.1/10
2.9/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://www.securityfocus.com/archive/1/513970/100/0/threaded

Related CVE
CVE-2019-9516
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater h...
CVE-2019-9513
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the...
CVE-2019-9511
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. T...
CVE-2019-11829
OS command injection vulnerability in drivers_syno_import_user.php in Synology Calendar before 2.3.1-0617 allows remote attackers to execute arbitrary commands via the crafted 'X-Real-IP' header.
CVE-2019-11828
Cross-site scripting (XSS) vulnerability in Chart in Synology Office before 3.1.4-2771 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE-2019-11827
Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Shard in Synology Note Station before 2.5.3-0863 allows remote attackers to inject arbitrary web script or HTML via the object_id parameter.
CVE-2019-11826
Relative path traversal vulnerability in SYNO.PhotoTeam.Upload.Item in Synology Moments before 1.3.0-0691 allows remote authenticated users to upload arbitrary files via the name parameter.
CVE-2019-11825
Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title parameter.

Copyright 2019, cxsecurity.com

 

Back to Top