Synology Security Advisory SA-24:02 DSM

Synology, Inc. had published a security advisory concerning vulnerability allows remote authenticated users to conduct phishing attacks via a susceptible version of Synology DiskStation Manager (DSM) NAS OS.

Publish time: 2024-01-24 18:08:36 UTC+8
Last updated: 2024-01-24 18:09:10 UTC+8
Severity: Moderate
Status: Ongoing

Abstract
A vulnerability allows remote authenticated users to conduct phishing attacks via a susceptible version of DSM.

Affected products

Product	Severity	Fixed Release availability
DSM 7.2	Moderate	Upgrade to 7.2.1-69057-2 or above.
DSM 7.1	Moderate	Ongoing
DSM 6.2	Moderate	Ongoing

Mitigation: None

Detail:

• CVE-2024-0854
  • Severity: Moderate
  • CVSS3 Base Score: 4.1
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
  • URL redirection to untrusted site (‘Open Redirect’) vulnerability in file access component in DSM before 7.2.1-69057-2 allows remote authenticated users to conduct phishing attacks via unspecified vectors.

Acknowledgement
Jangwoo Choi, HYEONJUN LEE, SoYeon Kim, TaeWan Ha, DoHwan Kim (https://zrr.kr/SWND)

Reference: CVE-2024-0854

Revision

Revision	Date	Description
1	2024-01-24	Initial public release.
2	2024-01-24	Disclosed vulnerability details.