CVE-2015-6909

Name of the Vulnerable Software and Affected Versions Synology Download Station versions prior to 3.5-2962

Description A cross-site scripting (XSS) issue exists in the "Create download task via file upload" feature, allowing remote attackers to inject arbitrary web script or HTML via the name element in the Info dictionary in a torrent file.

Recommendations For versions prior to 3.5-2962, update to version 3.5-2962 or later to resolve the issue. As a temporary workaround, consider restricting the use of the "Create download task via file upload" feature until a patch is applied. Avoid using the name element in the Info dictionary in torrent files to minimize the risk of exploitation.