CVE-2024-13987
Description
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Synology RADIUS Server allows remote authenticated users with administrator privileges to read or write limited files in SRM and conduct limited denial-of-service via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Synology RADIUS Server allows admin users to read/write limited files and cause limited denial-of-service.
Vulnerability
Overview
CVE-2024-13987 is a cross-site scripting (XSS) vulnerability in Synology RADIUS Server, stemming from improper neutralization of user input during web page generation [1]. The flaw affects RADIUS Server for DSM 7.2.2, DSM 7.1, and SRM 1.3 [1].
Exploitation
A remote authenticated attacker with administrator privileges can exploit this vulnerability by injecting malicious scripts into web pages generated by the RADIUS Server [1]. The attack requires user interaction (UI:R) and is network-accessible (AV:N) with low complexity (AC:L) [1].
Impact
Successful exploitation enables the attacker to read or write limited files on the Synology Router Manager (SRM) and conduct limited denial-of-service attacks [1]. The CVSS v3 base score is 5.9 (Medium), with a vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L [1].
Mitigation
Synology has released fixed versions: RADIUS Server 3.0.27-0516 for DSM 7.2.2, 3.0.27-0453 for DSM 7.1, and 3.0.27-0139 for SRM 1.3 [1]. Users should upgrade to these versions or later [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.