CVE-2024-47268

Vulnerability

The missing authorization vulnerability (CWE-862) exists in the AddOns functionality of Synology Surveillance Station before version 9.2.2-11575 for DSM 7.2/7.1 and before version 9.2.2-9575 for DSM 6.2 [1]. The issue allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors [1].

Exploitation

An attacker must have valid administrator credentials to authenticate to the Surveillance Station web interface [1]. No additional privileges or user interaction are required beyond admin access. The attacker can exploit the missing authorization check in the AddOns functionality by sending crafted requests to the unspecified vectors, leading to unauthorized access to sensitive data [1].

Impact

Successful exploitation results in the disclosure of sensitive information [1]. The CVSS vector indicates a Confidentiality impact of HIGH, while Integrity and Availability are not affected [1]. The attacker gains access to data they are not authorized to view, potentially including system configurations, credentials, or other confidential data stored by Surveillance Station [1].

Mitigation

Synology has released fixed versions: upgrade to Surveillance Station 9.2.2-11575 or above for DSM 7.2/7.1, and to 9.2.2-9575 or above for DSM 6.2 [1]. No workarounds are provided in the advisory; upgrading is the recommended action [1].