CVE-2020-9033

Name of the Vulnerable Software and Affected Versions Symmetricom SyncServer S100 version 2.90.70.3 Symmetricom SyncServer S200 version 1.30 Symmetricom SyncServer S250 version 1.25 Symmetricom SyncServer S300 version 2.65.0 Symmetricom SyncServer S350 version 2.80.1

Description The issue allows Directory Traversal via the FileName parameter to "authlog.php".

Recommendations For Symmetricom SyncServer S100 version 2.90.70.3, consider restricting access to the "authlog.php" endpoint to minimize the risk of exploitation. For Symmetricom SyncServer S200 version 1.30, avoid using the FileName parameter in the affected API endpoint until the issue is resolved. For Symmetricom SyncServer S250 version 1.25, restrict access to the vulnerable module related to "authlog.php" to minimize the risk of exploitation. For Symmetricom SyncServer S300 version 2.65.0, consider disabling the functionality that uses the FileName parameter until a fix is available. For Symmetricom SyncServer S350 version 2.80.1, as a temporary workaround, consider disabling access to "authlog.php" until a patch is available.