CVE-2018-8928

Name of the Vulnerable Software and Affected Versions Synology CardDAV Server versions prior to 6.0.8-0086

Description A cross-site scripting (XSS) issue exists in the Address Book Editor of Synology CardDAV Server, allowing remote authenticated users to inject arbitrary web script or HTML via the family name, given name, or additional name parameters.

Recommendations For versions prior to 6.0.8-0086, update to version 6.0.8-0086 or later to resolve the issue. As a temporary workaround, consider restricting access to the Address Book Editor until the update is applied. Avoid using the family name, given name, or additional name parameters in the affected API endpoint until the issue is resolved.