The following advisory describe two (2) stored Cross-Site Scripting (XSS) found in Synology DiskStation Manager (DSM).
- Cross-site scripting stored in SWF file
- Cross-site scripting stored in Video Station application
Synology DiskStation Manager (DSM), a Linux based software package that is the operating system for the DiskStation and RackStation products. The Synology DSM is the foundation of the DiskStation, which integrates the basic functions of file sharing, centralized backup, RAID storage, multimedia streaming, virtual storage, and using the DiskStation as a network video recorder.
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Repeated emails (email@example.com) sent to the vendor, since March, were answered with unclear answers:
“Sorry for the misunderstanding. You reported it to us and what I meant was that our developers have verified your report and it’s been logged as a known issue now.
So, your report to us is highly appreciated and we thank you very much for your help!”
On August 11, 2017 we received an email from Synology with a link to the patch they released.
For more information: https://www.synology.com/en-global/support/security/Synology_SA_17_39_Video_Station