CVE-2020-27651Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Synology Router Manager

CWE-614Sensitive Cookie in HTTPS Session Without 'Secure' AttributeCWE-311Missing Encryption of Sensitive Data3 documents3 sources
Severity
8.1HIGHNVD
CNA5.8
EPSS
0.3%
top 44.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Synology Router ManagerSynology Router Manager
Timeline
PublishedOct 29
Latest updateMay 24

Description

Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

NVDsynology/router_manager1.21.2.4-8081
CVEListV5synology/synology_router_managerunspecified1.2.4-8081

🔴Vulnerability Details

2
GHSA
GHSA-mxhv-mc3x-7jmr: Synology Router Manager (SRM) before 12022-05-24
CVEList
CVE-2020-27651: Synology Router Manager (SRM) before 12020-10-29
CVE-2020-27651 — Synology Router Manager vulnerability | cvebase