Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain non-sensitive information, write sensitive configurations in DSM, and reboot or shutdown NAS via unspecified vectors.
The System webapi component in Synology Surveillance Station does not enforce proper authorization verification before executing specific requests. An authenticated remote user without appropriate administrative privileges can send requests to the vulnerable API without additional authorization. As a result, it is possible to write sensitive configurations in the DSM (DiskStation Manager) system and initiate a restart or shutdown of the NAS device.
An attacker with any user account can overwrite sensitive DSM configuration settings, force a restart or shutdown of the NAS device, and read undefined system information. These actions may lead to service availability disruption and system integrity violation.
Synology Surveillance Station should be updated to version 9.2.0-9289 or 9.2.0-11289 (or newer), in accordance with the manufacturer's recommendations described in the Synology_SA_24_04 bulletin available at https://www.synology.com/en-global/security/advisory/Synology_SA_24_04.
Synology Surveillance Station in versions prior to 9.2.0-9289 and prior to 9.2.0-11289, running on Synology DiskStation Manager (DSM).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:HSynology Diskstation Manager
OSSynology6.27.17.2Synology Surveillance Station
APPSynology< 9.2.0-9289< 9.2.0-11289
Related vulnerabilities
CSRF umożliwiający RCE w Synology DiskStation Manager i Unified Controller
RCE przez błąd off-by-one w komponencie transmisji Synology Replication Service
RCE w Synology BeeStation OS i DSM — błąd kodowania wyjścia w systemowym daemonie
OS Command Injection w Synology BeePhotos i Synology Photos — RCE bez uwierzytelnienia
A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in ...