VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 13, 2025· Updated Feb 13, 2025

CVE-2024-47266

CVE-2024-47266

Description

Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in share file list functionality in Synology Active Backup for Business before 2.7.1-13234, 2.7.1-23234 and 2.7.1-3234 allows remote authenticated users with administrator privileges to read specific files containing non-sensitive information via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal in Synology Active Backup for Business allows authenticated admins to read specific non-sensitive files.

Vulnerability

A path traversal vulnerability exists in the share file list functionality of Synology Active Backup for Business. The improper limitation of a pathname to a restricted directory allows remote authenticated users with administrator privileges to read specific files containing non-sensitive information via unspecified vectors. Affected versions are those before 2.7.1-13234 (for DSM 7.1), 2.7.1-23234 (for DSM 7.2), and 2.7.1-3234 (for DSM 6.2) [1].

Exploitation

An attacker must have remote network access and valid administrator credentials for the Synology Active Backup for Business instance. The exact attack vector is not disclosed, but it involves the share file list functionality. No user interaction beyond authentication is required, and the attack complexity is low [1].

Impact

Successful exploitation allows the attacker to read specific files that contain non-sensitive information. The confidentiality impact is low, and there is no impact on integrity or availability. The CVSS v3.1 base score is 2.7 (Low) [1].

Mitigation

Synology has released fixed versions: upgrade to 2.7.1-13234 (DSM 7.1), 2.7.1-23234 (DSM 7.2), or 2.7.1-3234 (DSM 6.2) or later. No workarounds are provided. The advisory was published on 2025-02-11 [1].

References
  1. Synology_SA_25_02 | Synology Inc.

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Synology/Active Backup for Businessllm-fuzzy2 versions
    < 2.7.1-13234, < 2.7.1-23234, < 2.7.1-3234+ 1 more
    • (no CPE)range: < 2.7.1-13234, < 2.7.1-23234, < 2.7.1-3234
    • (no CPE)range: *

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.