Skip to main content

Surveillance Station CVE-2024-29241

CRITICAL
Missing Authorization (CWE-862)
2024-03-28 security@synology.com
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 28, 2024 - 07:16 nvd
CRITICAL 9.9

DescriptionNVD

Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information, write sensitive configurations in DSM, and reboot or shutdown NAS via unspecified vectors.

AnalysisAI

Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information, write sensitive configurations in DSM, and reboot or shutdown NAS via unspecified vectors. Affected products include: Synology Surveillance Station. Version information: before 9.2.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

CVE-2021-38687 CRITICAL
9.8 Dec 29

A stack buffer overflow vulnerability has been reported to affect QNAP NAS running Surveillance Station. Rated critical

CVE-2021-28797 CRITICAL
9.8 Apr 14

A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. R

CVE-2024-29229 HIGH
7.7 Mar 28

Missing authorization vulnerability in GetLiveViewPath webapi component in Synology Surveillance Station before 9.2.0-92

CVE-2024-29228 HIGH
7.7 Mar 28

Missing authorization vulnerability in GetStmUrlPath webapi component in Synology Surveillance Station before 9.2.0-9289

CVE-2024-29239 MEDIUM
5.4 Mar 28

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Recording.CountByC

CVE-2024-29238 MEDIUM
5.4 Mar 28

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Log.CountByCategor

CVE-2024-29237 MEDIUM
5.4 Mar 28

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in ActionRule.Delete

CVE-2024-29236 MEDIUM
5.4 Mar 28

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in AudioPattern.Delet

CVE-2024-29235 MEDIUM
5.4 Mar 28

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in IOModule.EnumLog w

CVE-2024-29234 MEDIUM
5.4 Mar 28

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Group.Save webapi

CVE-2024-29233 MEDIUM
5.4 Mar 28

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Emap.Delete webapi

CVE-2024-29232 MEDIUM
5.4 Mar 28

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in Alert.Enum webapi

Share

CVE-2024-29241 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy