Skip to main content

Synology Contacts CVE-2025-13167

| EUVDEUVD-2025-209954 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 security@synology.com GHSA-32xh-xfmp-f6p6
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 23:21 vuln.today
Patch available
May 27, 2026 - 19:46 EUVD

DescriptionCVE.org

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via unspecified vectors.

AnalysisAI

Cross-site scripting in Synology Contacts before version 1.0.10-20659 allows authenticated remote users to read or write specific files containing non-sensitive information by injecting malicious input through the contact functionality. The CVSS scope change (S:C) confirms the injected script executes in a context beyond the originating application, affecting any victim who views the crafted contact entry. No public exploit identified at time of analysis, and CISA has not listed this in the Known Exploited Vulnerabilities catalog.

Technical ContextAI

This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability - a classic XSS defect where user-supplied data is rendered in a web page without adequate sanitization or encoding. The affected component is the contact functionality within Synology Contacts, a web-based contact management application distributed as a Synology DiskStation Package. The CVSS scope flag S:C (Changed) is significant: it indicates the vulnerability crosses trust boundaries, meaning injected script can interact with browser resources outside the Synology Contacts application itself. The attack vector is network-based (AV:N) and requires only low-level authenticated access (PR:L), consistent with a regular end-user account rather than an administrator. The full affected version range is Synology Contacts any version up to and not including 1.0.10-20659, as confirmed by both NVD CPE data and the ENISA EUVD entry EUVD-2025-209954.

RemediationAI

Update Synology Contacts to version 1.0.10-20659 or later. The patch is confirmed available from the vendor per Synology Security Advisory SA_25_13 at https://www.synology.com/en-global/security/advisory/Synology_SA_25_13. Updates can be applied through the DiskStation Manager Package Center. If immediate patching is not feasible, a compensating control is to restrict Contacts write access to trusted, verified users only, reducing the pool of potential attackers who could inject malicious content. Additionally, limiting sharing or external visibility of contact entries reduces the likelihood of a victim rendering injected content. No significant side effects of upgrading to 1.0.10-20659 are documented by the vendor.

CVE-2013-6955 CRITICAL POC
10.0 Jan 09

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before

CVE-2017-15889 HIGH POC
8.8 Dec 04

Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authe

CVE-2017-9554 MEDIUM POC
5.3 Jul 24

An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allo

CVE-2015-6912 CRITICAL POC
10.0 Sep 11

Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharact

CVE-2013-6987 HIGH POC
7.5 Dec 31

Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before

CVE-2017-11155 HIGH POC
7.5 Aug 08

An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remot

CVE-2017-11153 CRITICAL POC
9.8 Aug 08

Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allo

CVE-2017-11151 CRITICAL POC
9.8 Aug 08

A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers

CVE-2016-10329 CRITICAL POC
9.8 May 12

Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to exec

CVE-2017-11152 HIGH POC
7.5 Aug 08

Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 all

CVE-2020-27655 CRITICAL POC
10.0 Oct 29

Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to acce

CVE-2024-10443 CRITICAL POC
9.8 Nov 15

Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager

Share

CVE-2025-13167 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy