Vulnerability CVE-2013-6955
Published: 2014-01-09   Modified: 2014-01-10

Description:
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.

See advisories in our WLB2 database:
Topic
Author
Date
High
Synology DiskStation Manager SLICEUPLOAD Remote Command Execution
Markus Wulftange
23.12.2013
High
Diskstation Manager 4.3-3810 Data Append / Code Execution
tiamat451
26.03.2014

Type:

CWE-264

 (Permissions, Privileges, and Access Controls)

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Synology -> Diskstation manager 

 References:
http://www.kb.cert.org/vuls/id/615910
Copyright 2024, cxsecurity.com

 

Back to Top