CVE-2021-26560

Name of the Vulnerable Software and Affected Versions Synology DiskStation Manager (DSM) versions prior to 6.2.3-25426-3

Description The issue concerns the cleartext transmission of sensitive information in the synoagentregisterd component, allowing man-in-the-middle attackers to spoof servers via an HTTP session. This can be exploited by attackers to intercept and manipulate sensitive data.

Recommendations For versions prior to 6.2.3-25426-3, update to version 6.2.3-25426-3 or later to resolve the issue. As a temporary workaround, consider restricting access to the synoagentregisterd component to minimize the risk of exploitation. Avoid using HTTP sessions for sensitive information transmission until the issue is resolved.