CVE-2020-27650 — Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Synology Diskstation Manager

CWE-614 — Sensitive Cookie in HTTPS Session Without 'Secure' Attribute CWE-311 — Missing Encryption of Sensitive Data3 documents3 sources

Severity

3.7LOWNVD

CNA5.8

EPSS

0.2%

top 61.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Synology Diskstation Manager Synology Skynas Firmware

Timeline

PublishedOct 29

Latest updateMay 24

Description

Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5synology/diskstation_managerunspecified — 6.2.3-25426-2

▶NVDsynology/diskstation_manager6.2 — 6.2.3-25426-2

▶NVDsynology/skynas_firmware< 6.2.3-25426

🔴Vulnerability Details

GHSA

GHSA-pr6j-q8cq-rhhr: Synology DiskStation Manager (DSM) before 6↗2022-05-24

▶

CVEList

CVE-2020-27650: Synology DiskStation Manager (DSM) before 6↗2020-10-29

▶