Synology Calendar, a file protection program running on Synology NAS (Network Storage Server) devices from Synology Inc. of Taiwan, China, is vulnerable to a cross-site scripting vulnerability in versions prior to Synology Calendar 2.4.5-10930. The vulnerability stems from the programβs lack of data validation filtering of user-supplied data and output. An attacker could exploit this vulnerability to execute JavaScript code on the client side.