PT-2020-4938 · Synology · Synology Router Manager

Claudio Bozzato

Published

2020-10-29

Updated

2020-11-03

CVE-2020-27658

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions: Synology Router Manager (SRM) versions prior to 1.2.4-8081

Description: The issue is related to the absence of the HttpOnly flag in session cookies. This makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Recommendations: For versions prior to 1.2.4-8081, update to version 1.2.4-8081 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive information until the update is applied.

Exploit

Fix

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1004CWE-732

Related Identifiers

BDU:2020-05513

CVE-2020-27658

Affected Products

Synology Router Manager

PT-2020-4938 · Synology · Synology Router Manager

CVE-2020-27658

Weakness Enumeration

Related Identifiers

Affected Products

References · 7