Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via unspecified vectors.
AnalysisAI
Cross-site scripting in Synology Contacts before version 1.0.10-20659 allows authenticated remote users to read or write specific files containing non-sensitive information by injecting malicious input through the contact functionality. The CVSS scope change (S:C) confirms the injected script executes in a context beyond the originating application, affecting any victim who views the crafted contact entry. No public exploit identified at time of analysis, and CISA has not listed this in the Known Exploited Vulnerabilities catalog.
Technical ContextAI
This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerability - a classic XSS defect where user-supplied data is rendered in a web page without adequate sanitization or encoding. The affected component is the contact functionality within Synology Contacts, a web-based contact management application distributed as a Synology DiskStation Package. The CVSS scope flag S:C (Changed) is significant: it indicates the vulnerability crosses trust boundaries, meaning injected script can interact with browser resources outside the Synology Contacts application itself. The attack vector is network-based (AV:N) and requires only low-level authenticated access (PR:L), consistent with a regular end-user account rather than an administrator. The full affected version range is Synology Contacts any version up to and not including 1.0.10-20659, as confirmed by both NVD CPE data and the ENISA EUVD entry EUVD-2025-209954.
RemediationAI
Update Synology Contacts to version 1.0.10-20659 or later. The patch is confirmed available from the vendor per Synology Security Advisory SA_25_13 at https://www.synology.com/en-global/security/advisory/Synology_SA_25_13. Updates can be applied through the DiskStation Manager Package Center. If immediate patching is not feasible, a compensating control is to restrict Contacts write access to trusted, verified users only, reducing the pool of potential attackers who could inject malicious content. Additionally, limiting sharing or external visibility of contact entries reduces the likelihood of a victim rendering injected content. No significant side effects of upgrading to 1.0.10-20659 are documented by the vendor.
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authe
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allo
Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharact
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before
An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remot
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allo
A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers
Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to exec
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 all
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to acce
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209954
GHSA-32xh-xfmp-f6p6