CVE-2015-6909 in Download Stationinfo

Summary

by MITRE

Cross-site scripting (XSS) vulnerability in the "Create download task via file upload" feature in Synology Download Station before 3.5-2962 allows remote attackers to inject arbitrary web script or HTML via the name element in the Info dictionary in a torrent file.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/14/2022

The CVE-2015-6909 vulnerability represents a critical cross-site scripting flaw discovered in Synology Download Station software prior to version 3.5-2962. This vulnerability specifically targets the "Create download task via file upload" functionality, which enables users to add torrent files to their download queue. The flaw occurs when the system processes torrent files containing maliciously crafted name elements within the Info dictionary structure, creating an avenue for remote attackers to execute arbitrary web scripts or HTML code within the context of other users' browsers.

The technical implementation of this vulnerability stems from inadequate input validation and sanitization within the torrent file processing pipeline. When users upload torrent files through the Download Station interface, the system parses the metadata contained within the Info dictionary, particularly focusing on the name field. Attackers can manipulate this field to include malicious JavaScript code or HTML content that gets executed when other users view the download task information. This type of vulnerability falls under CWE-79 - Improper Neutralization of Input During Web Page Generation, which specifically addresses the failure to properly sanitize user-supplied data before incorporating it into web pages. The vulnerability demonstrates a classic XSS attack vector where the malicious input is stored and later executed in the victim's browser context.

The operational impact of this vulnerability extends beyond simple script execution, as it can lead to serious security consequences including session hijacking, credential theft, and unauthorized access to user accounts. When legitimate users interact with the download tasks that contain malicious code, their browsers execute the injected scripts, potentially allowing attackers to steal cookies, modify web page content, or redirect users to malicious sites. The vulnerability affects all users of the affected Synology Download Station versions, making it particularly dangerous in environments where multiple users share the same system or network. From an attack perspective, this vulnerability aligns with ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, as attackers can craft malicious torrent files that appear legitimate but contain hidden malicious payloads.

The exploitation of this vulnerability requires minimal technical expertise, as attackers only need to create specially crafted torrent files with malicious content in the name field. This makes the attack surface particularly wide and increases the likelihood of successful exploitation in real-world scenarios. Organizations using Synology Download Station software should immediately implement security measures including updating to the patched version 3.5-2962 or later, implementing web application firewalls, and conducting thorough security reviews of all uploaded content. Additionally, network administrators should consider implementing content filtering measures and user education programs to reduce the risk of inadvertently downloading malicious torrent files. The vulnerability highlights the importance of proper input validation and output encoding in web applications, particularly when handling user-supplied data from untrusted sources.

Reservation

09/11/2015

Disclosure

09/11/2015

Moderation

accepted

Entry

VDB-77679

CPE

ready

EPSS

0.02087

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!