CVE-2015-6913

Name of the Vulnerable Software and Affected Versions Synology Download Station versions prior to 3.5-2967

Description A cross-site scripting (XSS) issue exists in the "Create download task via URL" feature, allowing remote attackers to inject arbitrary web script or HTML via the urls parameter in an add url task action to "dlm/downloadman.cgi".

Recommendations For versions prior to 3.5-2967, update to version 3.5-2967 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Create download task via URL" feature until the update is applied. Avoid using the urls parameter in the affected API endpoint until the issue is resolved.