CVE-2015-6913 in Download Station
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in the "Create download task via URL" feature in Synology Download Station before 3.5-2967 allows remote attackers to inject arbitrary web script or HTML via the urls parameter in an add_url_task action to dlm/downloadman.cgi.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/15/2022
The vulnerability CVE-2015-6913 represents a critical cross-site scripting flaw within Synology Download Station's download management functionality. This weakness exists in the "Create download task via URL" feature that processes user input through the urls parameter in the add_url_task action endpoint dlm/downloadman.cgi. The vulnerability affects all versions prior to 3.5-2967, making it a significant security concern for organizations relying on Synology's download management solutions. The flaw stems from inadequate input validation and output sanitization mechanisms that fail to properly escape or filter malicious script content submitted by users.
The technical exploitation of this vulnerability occurs when remote attackers submit malicious URLs containing embedded JavaScript or HTML code through the urls parameter. The system processes these inputs without sufficient sanitization, allowing the malicious content to be stored and subsequently executed within the context of other users' browsers. This creates a persistent XSS attack vector where legitimate users who view the affected download tasks or interact with the download management interface become victims of the injected malicious scripts. The attack can be leveraged to steal session cookies, perform unauthorized actions on behalf of users, or redirect victims to malicious websites.
The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with potential access to sensitive user data and system resources. Attackers could exploit this vulnerability to establish persistent access to download stations, potentially compromising the integrity of download tasks and creating backdoor access points. The vulnerability affects the core download management functionality of Synology's Download Station, which is commonly used in enterprise environments for managing file transfers and downloads. This creates a risk of data exfiltration, unauthorized file access, and potential lateral movement within network environments where Synology devices are deployed.
Organizations should implement immediate mitigations including updating to Synology Download Station version 3.5-2967 or later, which contains the necessary patches to address the input validation issues. Network segmentation and access controls should be enforced to limit exposure of Download Station services to untrusted networks. Input validation should be strengthened at all user-facing interfaces to prevent malicious content from being processed. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications, and represents a classic example of how insufficient input sanitization can create persistent security risks. From an ATT&CK perspective, this vulnerability maps to T1566, representing the initial compromise through phishing or malicious downloads, and T1059, which involves the execution of malicious code through web-based attacks. Regular security audits and vulnerability assessments should be conducted to identify similar input validation weaknesses in other web applications and services within the organization's infrastructure.