CVE-2025-1021

CWE-862 — Missing Authorization CWE-1021 — Clickjacking CWE-668 — Exposure to Wrong Sphere18 documents8 sources

Severity

7.5HIGH

EPSS

0.3%

top 45.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Synology Diskstation Manager (dsm)Synology Diskstation Manager

Timeline

PublishedApr 23

Latest updateJan 15

Description

Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows remote attackers to read arbitrary files via unspecified vectors.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDsynology/diskstation_manager7.1 — 7.1.1-42962-8+2

▶CVEListV5synology/diskstation_manager_(dsm)7.2.2 — 7.2.2-72806-3+2

🔴Vulnerability Details

GHSA

FeehiCMS is vulnerable to reverse tabnabbing↗2025-12-01

▶

GHSA

HAX CMS application pages vulnerable to clickjacking↗2025-07-21

▶

GHSA

@haxtheweb/haxcms-nodejs Iframe Phishing vulnerability↗2025-06-09

▶

CVEList

CVE-2025-1021: Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7↗2025-04-23

▶

GHSA

GHSA-5h3w-59m5-q6wr: Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7↗2025-04-23

▶

📋Vendor Advisories

Juniper

CVE-2025-52987: A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) due to the application's↗2026-01-15

▶

Red Hat

chromium-browser: Inappropriate implementation in Downloads↗2025-12-02

▶

Red Hat

chromium-browser: Inappropriate implementation in Compositing↗2025-11-14

▶

Red Hat

chromium-browser: Incorrect security UI in SplitView↗2025-11-10

▶

Red Hat

firefox: thunderbird: Clickjacking vulnerability could have led to leaking saved payment card details↗2025-05-27

▶