CVE-2020-27658Sensitive Cookie Without 'HttpOnly' Flag in Synology Router Manager

CWE-1004Sensitive Cookie Without 'HttpOnly' FlagCWE-732Incorrect Permission Assignment3 documents3 sources
Severity
6.1MEDIUMNVD
CNA7.1
EPSS
0.3%
top 50.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Synology Router ManagerSynology Router Manager
Timeline
PublishedOct 29
Latest updateMay 24

Description

Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDsynology/router_manager1.21.2.4-8081
CVEListV5synology/synology_router_managerunspecified1.2.4-8081

🔴Vulnerability Details

2
GHSA
GHSA-3ffh-4665-44q7: Synology Router Manager (SRM) before 12022-05-24
CVEList
CVE-2020-27658: Synology Router Manager (SRM) before 12020-10-29
CVE-2020-27658 — Synology Router Manager vulnerability | cvebase