A vulnerability was found in Synology Photo Station up to 6.8.7 (Network Attached Storage Software). It has been classified as critical. Affected is an unknown code block of the component SYNO.PhotoStation.Auth. The manipulation of the argument PHPSESSID as part of a Parameter leads to a session fixiation vulnerability. CWE is classifying the issue as CWE-384. Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology Photo Station before 6.8.7-3481 allows remote attackers to hijack web sessions via the PHPSESSID parameter.

The bug was discovered 07/23/2018. The weakness was presented 10/30/2018 (Website). The advisory is shared for download at synology.com. This vulnerability is traded as CVE-2018-13282 since 07/05/2018. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are known technical details, but no exploit is available.

The vulnerability was handled as a non-public zero-day exploit for at least 100 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 6.8.7-3481 eliminates this vulnerability.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Type

• Network Attached Storage Software

Vendor

• Synology

Name

• Photo Station

Version

• 6.8.0
• 6.8.1
• 6.8.2
• 6.8.3
• 6.8.4
• 6.8.5
• 6.8.6
• 6.8.7

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion