Synology-SA-24:16 SRM

Publish Time: 2024-10-18 13:43:07 UTC+8

Last Updated: 2025-07-23 12:29:34 UTC+8

Severity: Moderate

Status: Resolved

Abstract

Multiple vunerabilities allow remote authenticated users to read specific files containing non-sensitive information, remote authenticated users with admin privileges to execute arbitrary code, remote authenticated users with admin privileges to execute arbitrary commands and remote authenticated users with admin privileges to inject arbitrary web script or HTML via a susceptible version of Synology Router Manager (SRM).

Affected Products

Product	Severity	Fixed Release Availability
SRM 1.3	Moderate	Upgrade to 1.3.1-9346-11 or above.

Mitigation

None

Detail

CVE-2024-53286
- Severity: Important
- CVSS3 Base Score: 7.2
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to execute arbitrary code via unspecified vectors.
CVE-2024-53287
- Severity: Moderate
- CVSS3 Base Score: 5.9
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in VPN Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.
CVE-2024-53288
- Severity: Moderate
- CVSS3 Base Score: 5.9
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in NTP Region functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.

Acknowledgement

Only Hack in Cave (tr4ce(Jinho Ju), neko_hat(Dohwan Kim), tw0n3(Han Lee), Hc0wl(GangMin Kim)) (https://github.com/Team-OHiC)

Reference

Revision

Revision	Date	Description
1	2024-10-18	Initial public release.
2	2024-11-20	Disclosed vulnerability details.
3	2025-07-23	Disclosed vulnerability details.