CVE-2018-8928

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Address Book Editor component of Synology CardDAV Server prior to version 6.0.8-0086 [1]. The flaw allows remote authenticated users to inject arbitrary web script or HTML via the family_name, given_name, or additional_name parameters when creating or editing a contact. The injected script is stored and executed when other users view the affected contact entry.

Exploitation

An attacker must have valid credentials for the CardDAV Server. They can craft a malicious payload (e.g., JavaScript) in any of the three vulnerable fields during contact creation or modification. When another authenticated user accesses the Address Book and views the crafted contact, the payload executes in the context of that user's browser session. No additional user interaction beyond viewing the contact is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of session cookies, unauthorized actions on behalf of the victim, or defacement of the Address Book interface. The CVSS v3 base score is 6.5 (Medium) with a vector of AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating a scope change and limited impact on confidentiality, integrity, and availability [1].

Mitigation

Synology has released CardDAV Server version 6.0.8-0086 to address this vulnerability. Users should upgrade to this version or later immediately [1]. No workarounds are provided in the advisory. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.