CVE-2017-16774

Name of the Vulnerable Software and Affected Versions Synology DiskStation Manager (DSM) versions prior to 6.1.4-15217-3

Description A cross-site scripting (XSS) issue exists, allowing remote authenticated users to inject arbitrary web script or HTML. This is due to insufficient validation of user input in the package parameter of the SYNO.Core.PersonalNotification.Event module.

Recommendations For versions prior to 6.1.4-15217-3, update to version 6.1.4-15217-3 or later to resolve the issue. As a temporary workaround, consider restricting access to the SYNO.Core.PersonalNotification.Event module to minimize the risk of exploitation. Avoid using the package parameter in the affected module until the issue is resolved.