CVE-2020-9030

Name of the Vulnerable Software and Affected Versions Symmetricom SyncServer S100 version 2.90.70.3 Symmetricom SyncServer S200 version 1.30 Symmetricom SyncServer S250 version 1.25 Symmetricom SyncServer S300 version 2.65.0 Symmetricom SyncServer S350 version 2.80.1

Description The issue allows Directory Traversal via the FileName parameter to the "syslog.php" endpoint. This means an attacker could potentially access or manipulate files outside the intended directory structure by manipulating the FileName parameter in requests to the "syslog.php" endpoint.

Recommendations For Symmetricom SyncServer S100 version 2.90.70.3, consider restricting access to the "syslog.php" endpoint until a fix is available. For Symmetricom SyncServer S200 version 1.30, avoid using the FileName parameter in the "syslog.php" endpoint until the issue is resolved. For Symmetricom SyncServer S250 version 1.25, restrict access to the vulnerable "syslog.php" endpoint to minimize the risk of exploitation. For Symmetricom SyncServer S300 version 2.65.0, consider disabling the "syslog.php" endpoint as a temporary workaround until a patch is available. For Symmetricom SyncServer S350 version 2.80.1, limit the use of the FileName parameter in the "syslog.php" endpoint to prevent potential directory traversal attacks.