PT-2024-22834 · Synology · Surveillance Station

Team.Envy

Published

2024-03-27

Updated

2025-01-14

CVE-2024-29238

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Synology Surveillance Station versions prior to 9.2.0-9289 and 9.2.0-11289

Description The issue is related to an improper neutralization of special elements used in an SQL command, also known as 'SQL Injection', in the Log.CountByCategory webapi component. This allows remote authenticated users to inject SQL commands via unspecified vectors.

Recommendations For versions prior to 9.2.0-9289, update to version 9.2.0-9289 or later. For versions prior to 9.2.0-11289, update to version 9.2.0-11289 or later.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2024-29238

Affected Products

Surveillance Station

PT-2024-22834 · Synology · Surveillance Station

CVE-2024-29238

Weakness Enumeration

Related Identifiers

Affected Products

References · 6