CVE-2020-27659
Description
Multiple cross-site scripting (XSS) vulnerabilities in Synology SafeAccess before 1.2.3-0234 allow remote attackers to inject arbitrary web script or HTML via the (1) domain or (2) profile parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Synology SafeAccess before 1.2.3-0234 allows remote attackers to hijack admin sessions via the domain or profile parameter, potentially leading to full router compromise.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in Synology SafeAccess versions before 1.2.3-0234. The vulnerability is stored in the domain or profile parameter [3]. When a user attempts to access a blocked website, the domain is reflected on the activity log and reports pages of SafeAccess [1]. The vulnerability is triggered when an administrator views these pages [3]. Affected versions include SafeAccess 1.2.1-0220 [3].
Exploitation
An attacker can trigger the vulnerability by sending specially crafted HTTP requests containing malicious JavaScript in the domain parameter while accessing a blocked website [1]. The attacker does not need authentication to send the request, but the domain must be processed by a SafeAccess profile with a web filter defined [1]. When the administrator views the activity log or report pages, the stored payload executes in the context of the admin's session [1]. The exploit requires no user interaction beyond the administrator viewing the vulnerable page [1].
Impact
A successful attack allows arbitrary JavaScript execution within the SRM web interface, enabling the attacker to perform actions as the administrator via SRM API calls [1]. This can lead to full compromise of the router: an attacker could change the admin password, enable SSH service, and gain remote root access to the Synology router [1]. The scope of compromise is high, potentially affecting the entire network managed by the router [3].
Mitigation
Synology released SafeAccess version 1.2.3-0234 to fix this vulnerability [3]. Users should upgrade to this version or later immediately [3]. No workarounds are available [3]. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.2.3-0234+ 1 more
- (no CPE)range: <1.2.3-0234
- (no CPE)range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization of the domain parameter before inclusion in an SQL query allows SQL injection, which can be leveraged to inject malicious JavaScript into profile names displayed in the web interface."
Attack vector
An attacker sends a crafted HTTP GET request to `/cgi/request.cgi` with a malicious `domain` parameter [ref_id=1]. The `domain` value is inserted unsanitized into an SQL INSERT query, allowing stacked queries [ref_id=1]. The attacker can use this SQL injection to modify the `profile` table in the SafeAccess database, injecting JavaScript into a profile name [ref_id=1]. When an administrator views the SafeAccess logs or profiles page in the web interface, the injected script executes in the admin's browser, enabling session cookie theft [ref_id=1].
Affected code
The vulnerability is in the `request.cgi` CGI binary and the `libsynosafeaccesslog.so` library. The function `syno::safeaccess::insert` builds an SQL query using a format string that wraps the user-supplied `domain` parameter in single quotes without any escaping [ref_id=1]. The unescaped value is then passed to `SQLite::Database::exec`, enabling SQL injection [ref_id=1].
What the fix does
The advisory does not include a patch diff. The vendor released SafeAccess version 1.2.3-0234 to address the issue [ref_id=1]. The fix would require proper escaping or parameterized queries for the `domain` parameter before it is used in the SQL INSERT statement, and sanitization of profile names displayed in the web interface to prevent stored XSS [ref_id=1].
Preconditions
- configSafeAccess package version before 1.2.3-0234 must be installed on Synology SRM
- networkAttacker must be on the local network (AV:A) and able to send HTTP requests to the router
- configAt least one user profile must be configured in SafeAccess for the XSS payload to target
- authAn administrator must log into the web interface and view the SafeAccess logs or profiles page
Reproduction
The Talos advisory provides a proof-of-concept. First, craft an SQL injection payload that attaches the SafeAccess control database and updates a profile name with a JavaScript payload: `sql='commit;'attach database "/usr/syno/etc/packages/SafeAccess/synoaccesscontrol/database.db" as x;'update x.profile set name="user<img src=/ onerror=""alert(document.cookie)""/>" where id=3;'`. Then send the request: `curl "http://10.254.1.2/cgi/request.cgi?domain=%27);"$(echo "$sql" | sed "s/ /%20/g")"--"` [ref_id=1]. When an administrator views the SafeAccess logs or profiles page, the injected JavaScript executes [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.synology.com/security/advisory/Synology_SA_20_25mitrex_refsource_CONFIRM
- www.talosintelligence.com/vulnerability_reports/TALOS-2020-1087mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.