Important Information Regarding Photo Station Vulnerability
Publish Time: 2017-03-24 00:00:00 UTC+8
Last Updated: 2017-03-24 12:00:00 UTC+8
- Severity
- Low
- Status
- Resolved
Abstract
A reflected XSS vulnerability is found in Photo Station that allows attackers to inject client-side scripts into web pages viewed by other users.
Severity
Low
Affected
- Products
- Photo Station earlier than 6.7.0-3414
- Models
- All Synology models
Description
Photo Station earlier than 6.7.0-3414 does not escape special characters in image parameters, allowing remote attackers to conduct reflected cross-site scripting (XSS) attacks via the modified parameters in an HTTP URL.
Mitigation
DSM 6.0 & DSM 6.1
Go to Control Panel > Security > Security, and select Improve security with HTTP Content Security Policy (CSP) header.
Update Availability
To fix the security issue, go to DSM > Package Center, and update Photo Station to the latest version (6.7.0-3414) to protect your Synology NAS from malicious attacks.