CVE-2021-43929 — Injection in Synology Diskstation Manager

CWE-74 — Injection CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

CNA6.5

EPSS

0.2%

top 56.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Synology Diskstation Manager

Timeline

PublishedFeb 7

Latest updateFeb 8

Description

Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5synology/diskstation_managerunspecified — 7.0.1-42218-2

▶NVDsynology/diskstation_manager6.2 — 6.2.4-25556-3+1

🔴Vulnerability Details

GHSA

GHSA-g296-pch4-8795: Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology D↗2022-02-08

▶

CVEList

CVE-2021-43929: Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology D↗2022-02-07

▶