Multiple cross-site scripting (XSS) vulnerabilities in Synology Disk Station 2.x before DSM3.0-1337 allow remote attackers to inject arbitrary web script or HTML by connecting to the FTP server and providing a crafted (1) USER or (2) PASS command, which is written by the FTP logging module to a web-interface log window, related to a "web commands injection" issue.
2010-09-29T17:00:02.993
2025-04-11T00:51:21.963
Deferred
CVSSv2: 4.3 (MEDIUM)
AV:N/AC:M/Au:N/C:N/I:P/A:N
8.6
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Operating System | synology | dsm | 2.2-0942 | Yes |
| Operating System | synology | dsm | 2.2-1041 | Yes |
| Operating System | synology | dsm | 2.2-1042 | Yes |
| Operating System | synology | dsm | 2.2-1045 | Yes |
| Operating System | synology | dsm | 2.3-1139 | Yes |
| Operating System | synology | dsm | 2.3-1141 | Yes |
| Operating System | synology | dsm | 2.3-1144 | Yes |
| Operating System | synology | dsm | 2.3-1157 | Yes |
| Operating System | synology | dsm | 2.3-1161 | Yes |
| Operating System | synology | dsm | 3.0-1334 | Yes |
| Hardware | synology | disk_station_ds1010\+ | * | No |
| Hardware | synology | disk_station_ds109 | * | No |
| Hardware | synology | disk_station_ds110\+ | * | No |
| Hardware | synology | disk_station_ds110j | * | No |
| Hardware | synology | disk_station_ds209 | * | No |
| Hardware | synology | disk_station_ds210\+ | * | No |
| Hardware | synology | disk_station_ds210j | * | No |
| Hardware | synology | disk_station_ds409slim | * | No |
| Hardware | synology | disk_station_ds410 | * | No |
| Hardware | synology | disk_station_ds410j | * | No |
| Hardware | synology | disk_station_ds411\+ | * | No |
| Hardware | synology | disk_station_ds710\+ | * | No |