Taien Wang

**Name of the Vulnerable Software and Affected Versions** Synology CardDAV Server versions prior to 6.0.8-0086 **Description** A cross-site scripting (XSS) issue exists in the Address Book Editor of Synology CardDAV Server, allowing remote authenticated users to inject arbitrary web script or HTML via the `family name`, `given name`, or `additional name` parameters. **Recommendations** For versions prior to 6.0.8-0086, update to version 6.0.8-0086 or later to resolve the issue. As a temporary workaround, consider restricting access to the Address Book Editor until the update is applied. Avoid using the `family name`, `given name`, or `additional name` parameters in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Synology Calendar versions prior to 2.1.2-0511 **Description** The issue is related to improper authorization, allowing remote authenticated users to create arbitrary events. This can be achieved via the `cal id` or `original cal id` parameters. **Recommendations** For versions prior to 2.1.2-0511, update to version 2.1.2-0511 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Synology File Station versions prior to 1.1.4-0122 **Description** A cross-site scripting (XSS) issue exists in the Attachment Preview feature of Synology File Station, allowing remote authenticated users to inject arbitrary web script or HTML via malicious attachments. **Recommendations** For versions prior to 1.1.4-0122, update to version 1.1.4-0122 or later to resolve the issue. As a temporary workaround, consider restricting access to the Attachment Preview feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Synology Office versions prior to 3.0.3-2143 **Description** A cross-site scripting (XSS) issue exists in the Title Tooltip of Synology Office, allowing remote authenticated users to inject arbitrary web script or HTML via a malicious file name. **Recommendations** For versions prior to 3.0.3-2143, update to version 3.0.3-2143 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Synology Drive versions prior to 1.0.2-10275 **Description** The issue is related to improper access control, allowing remote authenticated users to access non-shared files or folders. The exact vectors used for this unauthorized access are not specified. **Recommendations** For versions prior to 1.0.2-10275, update to version 1.0.2-10275 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Synology Drive versions prior to 1.0.2-10275 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML via a malicious file name, exploiting a cross-site scripting (XSS) vulnerability in the File Sharing Notify Toast feature. **Recommendations** For versions prior to 1.0.2-10275, update to version 1.0.2-10275 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Synology Drive versions prior to 1.0.1-10253 **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the Attachment Preview feature. This allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments. **Recommendations** For versions prior to 1.0.1-10253, update to version 1.0.1-10253 or later to resolve the issue. As a temporary workaround, consider restricting access to the Attachment Preview feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Synology Media Server versions prior to 1.7.6-2842 Synology Media Server versions prior to 1.4-2654 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `ObjectID` parameter. **Recommendations** For versions prior to 1.7.6-2842, update to version 1.7.6-2842 or later. For versions prior to 1.4-2654, update to version 1.4-2654 or later.

**Name of the Vulnerable Software and Affected Versions** Synology Note Station versions prior to 2.5.1-0844 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote authenticated users to inject arbitrary web script or HTML via the `commit msg` parameter. **Recommendations** For versions prior to 2.5.1-0844, update to version 2.5.1-0844 or later to resolve the issue. As a temporary workaround, consider restricting access to the `commit msg` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Synology Note Station versions prior to 2.5.1-0844 **Description** A cross-site scripting (XSS) issue exists in the Attachment Preview feature of Synology Note Station, allowing remote authenticated users to inject arbitrary web script or HTML via malicious attachments. **Recommendations** For versions prior to 2.5.1-0844, update to version 2.5.1-0844 or later to resolve the issue.