CVE-2025-13167

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the contact functionality of Synology Contacts before version 1.0.10-20659 [1]. The application fails to properly neutralize user-supplied input when generating web pages, allowing injection of arbitrary HTML and JavaScript. The vulnerability requires an authenticated user to create or edit a contact with malicious content.

Exploitation

An attacker with remote authenticated access to Synology Contacts can craft a contact entry containing malicious script. When another authenticated user views or interacts with that contact (e.g., by opening the contact detail page), the injected script executes in the context of the victim's session [1]. The CVSS vector indicates user interaction is required (UI:R), meaning the victim must perform some action to trigger the exploit [1].

Impact

Successful exploitation allows the attacker to read or write specific files on the system that contain non-sensitive information. The scope of impact is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component, but confidentiality and integrity impacts are limited to low severity [1]. No sensitive data such as credentials or system configuration files are disclosed.

Mitigation

Synology has released fixed versions for DSM 7.3, 7.2.2, and 7.2.1: upgrade to Synology Contacts 1.0.10-20659 or above [1]. No workarounds are available; updating the package is the only mitigation [1]. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.