2 matches found
Synology SRM web interface session cookie HttpOnly flag information disclosure vulnerability
Talos Vulnerability Report TALOS-2020-1086 Synology SRM web interface session cookie HttpOnly flag information disclosure vulnerability October 30, 2020 CVE Number CVE-2020-27658 SUMMARY An exploitable information disclosure vulnerability exists in the web interface session cookie functionality o...
CVE-2020-27658
Synology SRM (on SRM up to 1.2.4-8081) is affected by CVE-2020-27658: the web interface session cookie id is Set-Cookie without the HttpOnly flag, enabling potential theft of the cookie via injected JavaScript and facilitating an XSS-based information disclosure. TALOS details confirm the vulnera...