Multiple Cross-Site Scripting vulnerabilities in Synology Do

1. ------------------------------------------------------------------------
2. Multiple Cross-Site Scripting vulnerabilities in Synology Download
3. Station
4. ------------------------------------------------------------------------
5. Han Sahin, September 2015
6.  
7. ------------------------------------------------------------------------
8. Abstract
9. ------------------------------------------------------------------------
10. Multiple Cross-Site Scripting vulnerabilities were found in Synology
11. Download Station. These issues allow attackers to perform a wide variety
12. of actions, such as stealing victims' session tokens or login
13. credentials if available, performing arbitrary actions on their behalf
14. but also performing arbitrary redirects to potential malicious websites.
15.  
16. ------------------------------------------------------------------------
17. Tested version
18. ------------------------------------------------------------------------
19. These issues have been tested on Synology Download Station version
20. 3.5-2956 and version 3.5-2962.
21.  
22. ------------------------------------------------------------------------
23. Fix
24. ------------------------------------------------------------------------
25. Synology reports that these issue have been resolved in:
26.  
27. - Download Station version 3.5-2962 [Create download task via file
28. upload]
29. - Download Station version 3.5-2967 [Create download task via URL]
30.  
31. ------------------------------------------------------------------------
32. Details
33. ------------------------------------------------------------------------
34. https://www.securify.nl/advisory/SFY20150809/multiple_cross_site_scripting_vulnerabilities_in_synology_download_station.html