CVE-2021-26566Sensitive Info Insertion into Sent Data in Synology Diskstation Manager

CWE-201Sensitive Info Insertion into Sent DataCWE-200Sensitive Information Exposure5 documents4 sources
Severity
9.0CRITICALNVD
CNA8.3
EPSS
0.5%
top 32.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Synology Diskstation ManagerSynology Diskstation ManagerSynology Diskstation Manager Unified Controller
Timeline
PublishedFeb 26
Latest updateMay 24

Description

Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary commands via inbound QuickConnect traffic.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.2 | Impact: 6.0

Affected Packages3 packages

NVDsynology/diskstation_manager< 6.2.3-25426-3
CVEListV5synology/synology_diskstation_managerunspecified6.2.3-25426-3

🔴Vulnerability Details

2
GHSA
GHSA-x5fh-xfvr-gg7m: Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 62022-05-24
CVEList
CVE-2021-26566: Insertion of sensitive information into sent data vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 62021-02-26

🕵️Threat Intelligence

2
Talos
Vulnerability Spotlight: Multiple vulnerabilities in Synology DiskStation Manager2021-04-20
Talos
Vulnerability Spotlight: Multiple vulnerabilities in Synology DiskStation Manager2021-04-20
CVE-2021-26566 — Synology vulnerability | cvebase