CVE-2024-53287 | ByteOS Network

Vulnerability Details :

CVE-2024-53287

Assigner-synology

Assigner Org ID-db201096-a0cc-46c7-9a55-61d9e221bf01

Published At-23 Jul, 2025 | 04:11

Updated At-23 Jul, 2025 | 15:14

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in VPN Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.

EPSS History

Score

Latest Score

-

N/A

Percentile

Latest Percentile

-

N/A

▼Common Vulnerabilities and Exposures (CVE)

Assigner:synology

Assigner Org ID:db201096-a0cc-46c7-9a55-61d9e221bf01

Published At:23 Jul, 2025 | 04:11

Updated At:23 Jul, 2025 | 15:14

▼CVE Numbering Authority (CNA)

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in VPN Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.

Affected Products

Vendor

Product

Synology Router Manager (SRM)

Default Status

affected

Versions

Affected

From 1.3 before 1.3.1-9346-11 (semver)

unknown

From 0 before 1.3 (semver)

Problem Types

Type	CWE ID	Description
CWE	CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Type: CWE

CWE ID: CWE-79

Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Metrics

Version	Base score	Base severity	Vector
3.1	5.9	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Version: 3.1

Base score: 5.9

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Credits

finder

Only Hack in Cave (tr4ce(Jinho Ju), neko_hat(Dohwan Kim), tw0n3(Han Lee), Hc0wl(GangMin Kim)) (https://github.com/Team-OHiC)

References

Hyperlink	Resource
https://www.synology.com/en-global/security/advisory/Synology_SA_24_16	vendor-advisory

Hyperlink: https://www.synology.com/en-global/security/advisory/Synology_SA_24_16

Resource:

vendor-advisory

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

Source:security@synology.com

Published At:23 Jul, 2025 | 05:15

Updated At:29 Jul, 2025 | 19:33

Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in VPN Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	5.9	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Type: Secondary

Version: 3.1

Base score: 5.9

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

CPE Matches

>>router_manager>>Versions from 1.3(inclusive) to 1.3.1-9346(exclusive)

cpe:2.3:o:synology:router_manager:*:*:*:*:*:*:*:*

>>router_manager>>1.3.1-9346

cpe:2.3:o:synology:router_manager:1.3.1-9346:-:*:*:*:*:*:*

>>router_manager>>1.3.1-9346

cpe:2.3:o:synology:router_manager:1.3.1-9346:update1:*:*:*:*:*:*

>>router_manager>>1.3.1-9346

cpe:2.3:o:synology:router_manager:1.3.1-9346:update10:*:*:*:*:*:*

>>router_manager>>1.3.1-9346

cpe:2.3:o:synology:router_manager:1.3.1-9346:update2:*:*:*:*:*:*

>>router_manager>>1.3.1-9346

cpe:2.3:o:synology:router_manager:1.3.1-9346:update3:*:*:*:*:*:*

>>router_manager>>1.3.1-9346

cpe:2.3:o:synology:router_manager:1.3.1-9346:update4:*:*:*:*:*:*

>>router_manager>>1.3.1-9346

cpe:2.3:o:synology:router_manager:1.3.1-9346:update5:*:*:*:*:*:*

>>router_manager>>1.3.1-9346

cpe:2.3:o:synology:router_manager:1.3.1-9346:update6:*:*:*:*:*:*

>>router_manager>>1.3.1-9346

cpe:2.3:o:synology:router_manager:1.3.1-9346:update7:*:*:*:*:*:*

>>router_manager>>1.3.1-9346

cpe:2.3:o:synology:router_manager:1.3.1-9346:update8:*:*:*:*:*:*

>>router_manager>>1.3.1-9346

cpe:2.3:o:synology:router_manager:1.3.1-9346:update9:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-79	Primary	security@synology.com

CWE ID: CWE-79

Type: Primary

Source: security@synology.com

References

Hyperlink	Source	Resource
https://www.synology.com/en-global/security/advisory/Synology_SA_24_16	security@synology.com	Vendor Advisory

Hyperlink: https://www.synology.com/en-global/security/advisory/Synology_SA_24_16

Source: security@synology.com

Resource:

Vendor Advisory