Synology-SA-18:54 Calendar

Publish Time: 2018-10-08 16:42:03 UTC+8

Last Updated: 2019-04-01 03:49:36 UTC+8

Severity
Moderate
Status
Resolved

Abstract

A vulnerability allows remote authenticated users to upload arbitrary files via a susceptible version of Calendar.

Affected Products

Product Severity Fixed Release Availability
Calendar Moderate Upgrade to 2.2.2-0532 or above.

Mitigation

None

Detail

  • CVE-2018-13299
    • Severity: Moderate
    • CVSS3 Base Score: 4.3
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    • Relative path traversal vulnerability in Attachment Uploader in Synology Calendar before 2.2.2-0532 allows remote authenticated users to upload arbitrary files via the filename parameter.

Acknowledgement

Chun Han Hsiao

Revision

Revision Date Description
1 2018-10-08 Initial public release.
2 2019-04-01 Disclosed vulnerability details.