Skip to main content

Video Station CVE-2015-9105

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2017-06-30 security@synology.com
5.4
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 30, 2017 - 13:29 cve.org
MEDIUM 5.4

DescriptionCVE.org

Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) file name or (2) collection name of videos.

AnalysisAI

Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) file name or (2) collection name of videos. Affected products include: Synology Video Station. Version information: before 1.2.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2015-6912 CRITICAL POC
10.0 Sep 11

Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharact

CVE-2015-6911 HIGH POC
7.5 Sep 11

SQL injection vulnerability in Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary SQL c

CVE-2015-6910 HIGH POC
7.5 Sep 11

SQL injection vulnerability in Synology Video Station before 1.5-0757 allows remote attackers to execute arbitrary SQL c

CVE-2017-13071 CRITICAL
9.8 Nov 22

QNAP has already patched this vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploita

CVE-2021-33181 CRITICAL
9.1 Jun 01

Server-Side Request Forgery (SSRF) vulnerability in webapi component in Synology Video Station before 2.4.10-1632 allows

CVE-2023-41288 HIGH
8.8 Jan 05

An OS command injection vulnerability has been reported to affect Video Station. Rated high severity (CVSS 8.8), this vu

CVE-2024-56804 HIGH
8.8 Oct 03

An SQL injection vulnerability has been reported to affect Video Station. If a remote attacker gains a user account, the

CVE-2023-34976 HIGH
8.8 Oct 13

A SQL injection vulnerability has been reported to affect Video Station. Rated high severity (CVSS 8.8), this vulnerabil

CVE-2023-34975 HIGH
8.8 Oct 13

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. Rated high sev

CVE-2021-28812 HIGH
8.8 Jun 03

A command injection vulnerability has been reported to affect certain versions of Video Station. Rated high severity (CV

CVE-2024-14025 MEDIUM
6.7 Mar 11

An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who

CVE-2024-14024 MEDIUM
6.7 Mar 11

An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local n

Share

CVE-2015-9105 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy