CVE-2017-15890
Description
Cross-site scripting (XSS) vulnerability in Disclaimer in Synology MailPlus Server before 1.4.0-0415 allows remote authenticated users to inject arbitrary web script or HTML via the NAME parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in Synology MailPlus Server before 1.4.0-0415 allows authenticated users to inject arbitrary web script via the NAME parameter.
Vulnerability
Cross-site scripting (XSS) vulnerability in the Disclaimer feature of Synology MailPlus Server before version 1.4.0-0415. The issue exists in the handling of the NAME parameter, allowing injection of arbitrary web script or HTML.
Exploitation
An attacker must be a remote authenticated user with access to the MailPlus Server. The attacker can inject malicious script via the NAME parameter in the Disclaimer form, which will be executed in the context of other users viewing the disclaimer.
Impact
Successful exploitation allows the attacker to perform reflected cross-site scripting attacks, potentially leading to disclosure of sensitive information or performing actions on behalf of other authenticated users. The CVSS v3 base score is 4.8, indicating moderate severity with low impact on confidentiality and integrity.
Mitigation
The vulnerability is fixed in Synology MailPlus Server version 1.4.0-0415 and above. Users should update via DSM Package Center to the latest version. No workarounds are mentioned in the advisory [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.4.0-0415+ 1 more
- (no CPE)range: <1.4.0-0415
- (no CPE)range: before 1.4.0-0415
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.synology.com/en-global/support/security/Synology_SA_17_75nvdVendor Advisory
News mentions
0No linked articles in our index yet.