CVE-2015-9105 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) file name or (2) collection name of videos.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Synology	Video Station

Configuration 1 [-]

OR	cpe:2.3:a:synology:video_station:1.2-0439:::::::*
	cpe:2.3:a:synology:video_station:1.2-0443:::::::*
	cpe:2.3:a:synology:video_station:1.2-0447:::::::*
	cpe:2.3:a:synology:video_station:1.2-0451:::::::*
	cpe:2.3:a:synology:video_station:1.2-0453:::::::*
	cpe:2.3:a:synology:video_station:1.5-0753:::::::*
	cpe:2.3:a:synology:video_station:1.5-0754:::::::*
	cpe:2.3:a:synology:video_station:1.5-0757:::::::*
	cpe:2.3:a:synology:video_station:1.5-0763:::::::*
	cpe:2.3:a:synology:video_station:1.5-0770:::::::*
	cpe:2.3:a:synology:video_station:1.6-0835:::::::*
	cpe:2.3:a:synology:video_station:1.6-0840:::::::*
	cpe:2.3:a:synology:video_station:1.6-0841:::::::*
	cpe:2.3:a:synology:video_station:1.6-0844:::::::*

References

Link	Resource
http://www.fortiguard.com/zeroday/FG-VD-15-107	Third Party Advisory
http://www.fortiguard.com/zeroday/FG-VD-15-108	Third Party Advisory
https://www.synology.com/en-global/support/security/Video_station_1_5_0772	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: synology

Published: 2015-12-10T00:00:00

Updated: 2017-06-30T12:57:01

Reserved: 2017-06-29T00:00:00

Link: CVE-2015-9105

JSON object: View

NVD Information

Status : Modified

Published: 2017-06-30T13:29:00.287

Modified: 2019-10-09T23:15:54.963

Link: CVE-2015-9105

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "Video Station", "vendor": "Synology", "versions": [{"status": "affected", "version": "1.2"}, {"status": "affected", "version": "1.5"}, {"status": "affected", "version": "1.6"}]}], "datePublic": "2015-12-10T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) file name or (2) collection name of videos."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross Site Scripting (CWE-79)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-06-30T12:57:01", "orgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "shortName": "synology"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.fortiguard.com/zeroday/FG-VD-15-107"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.synology.com/en-global/support/security/Video_station_1_5_0772"}, {"tags": ["x_refsource_MISC"], "url": "http://www.fortiguard.com/zeroday/FG-VD-15-108"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@synology.com", "DATE_PUBLIC": "2015-12-10T00:00:00", "ID": "CVE-2015-9105", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Video Station", "version": {"version_data": [{"version_value": "1.2"}, {"version_value": "1.5"}, {"version_value": "1.6"}]}}]}, "vendor_name": "Synology"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) file name or (2) collection name of videos."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross Site Scripting (CWE-79)"}]}]}, "references": {"reference_data": [{"name": "http://www.fortiguard.com/zeroday/FG-VD-15-107", "refsource": "MISC", "url": "http://www.fortiguard.com/zeroday/FG-VD-15-107"}, {"name": "https://www.synology.com/en-global/support/security/Video_station_1_5_0772", "refsource": "CONFIRM", "url": "https://www.synology.com/en-global/support/security/Video_station_1_5_0772"}, {"name": "http://www.fortiguard.com/zeroday/FG-VD-15-108", "refsource": "MISC", "url": "http://www.fortiguard.com/zeroday/FG-VD-15-108"}]}}}}, "cveMetadata": {"assignerOrgId": "db201096-a0cc-46c7-9a55-61d9e221bf01", "assignerShortName": "synology", "cveId": "CVE-2015-9105", "datePublished": "2015-12-10T00:00:00", "dateReserved": "2017-06-29T00:00:00", "dateUpdated": "2017-06-30T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:synology:video_station:1.2-0439:*:*:*:*:*:*:*", "matchCriteriaId": "81F897FC-85D3-49F0-81BE-D7D5A61139CA", "vulnerable": true}, {"criteria": "cpe:2.3:a:synology:video_station:1.2-0443:*:*:*:*:*:*:*", "matchCriteriaId": "2F5F29DC-3EC2-426D-95EF-738740132F12", "vulnerable": true}, {"criteria": "cpe:2.3:a:synology:video_station:1.2-0447:*:*:*:*:*:*:*", "matchCriteriaId": "39CCFB49-AFDE-45DC-80BD-0F2B1D2226F8", "vulnerable": true}, {"criteria": "cpe:2.3:a:synology:video_station:1.2-0451:*:*:*:*:*:*:*", "matchCriteriaId": "F9BE07BC-C272-49ED-B40A-25C606162FBD", "vulnerable": true}, {"criteria": "cpe:2.3:a:synology:video_station:1.2-0453:*:*:*:*:*:*:*", "matchCriteriaId": "25A5FA37-18B2-4A4E-9722-92D495904CCE", "vulnerable": true}, {"criteria": "cpe:2.3:a:synology:video_station:1.5-0753:*:*:*:*:*:*:*", "matchCriteriaId": "2298653F-BC1D-438E-A8F4-AE92BF00B94E", "vulnerable": true}, {"criteria": "cpe:2.3:a:synology:video_station:1.5-0754:*:*:*:*:*:*:*", "matchCriteriaId": "9D274409-AD82-4111-888B-A11E182607BA", "vulnerable": true}, {"criteria": "cpe:2.3:a:synology:video_station:1.5-0757:*:*:*:*:*:*:*", "matchCriteriaId": "532C3C7A-5511-4044-8553-E0C3AE33D773", "vulnerable": true}, {"criteria": "cpe:2.3:a:synology:video_station:1.5-0763:*:*:*:*:*:*:*", "matchCriteriaId": "E1A14F9F-71CA-4F47-8A8B-EA5FFD177FE9", "vulnerable": true}, {"criteria": "cpe:2.3:a:synology:video_station:1.5-0770:*:*:*:*:*:*:*", "matchCriteriaId": "6618F6CE-AA13-4153-8C38-C069C50339F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:synology:video_station:1.6-0835:*:*:*:*:*:*:*", "matchCriteriaId": "75EDDEDA-572F-4BF5-9C0C-0689C8381B12", "vulnerable": true}, {"criteria": "cpe:2.3:a:synology:video_station:1.6-0840:*:*:*:*:*:*:*", "matchCriteriaId": "513AC704-4458-4DFB-924D-5D87CD9F51C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:synology:video_station:1.6-0841:*:*:*:*:*:*:*", "matchCriteriaId": "ABEE8DFB-50A4-4FEC-8794-EAD9A9347D2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:synology:video_station:1.6-0844:*:*:*:*:*:*:*", "matchCriteriaId": "95AC4B5C-EC9E-4DB8-B0A9-B020293B263D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Synology Video Station 1.2 before 1.2-0455, 1.5 before 1.5-0772, and 1.6 before 1.6-0847 allow remote authenticated attackers to inject arbitrary web script or HTML via the (1) file name or (2) collection name of videos."}, {"lang": "es", "value": "Varias vulnerabilidades de XSS (cross-site scripting) en Synology Video Station versi\u00f3n 1.2 y anteriores a la 1.2-0455, versi\u00f3n 1.5 y anteriores a la 1.5-0772 y versi\u00f3n 1.6 y anteriores a la 1.6-0847, permiten a atacantes remotos autenticados inyectar secuencias de comandos web o HTML a trav\u00e9s del nombre de archivo (1) o (2) nombre de la colecci\u00f3n de videos."}], "id": "CVE-2015-9105", "lastModified": "2019-10-09T23:15:54.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-06-30T13:29:00.287", "references": [{"source": "security@synology.com", "tags": ["Third Party Advisory"], "url": "http://www.fortiguard.com/zeroday/FG-VD-15-107"}, {"source": "security@synology.com", "tags": ["Third Party Advisory"], "url": "http://www.fortiguard.com/zeroday/FG-VD-15-108"}, {"source": "security@synology.com", "tags": ["Vendor Advisory"], "url": "https://www.synology.com/en-global/support/security/Video_station_1_5_0772"}], "sourceIdentifier": "security@synology.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@synology.com", "type": "Secondary"}]}