CVE-2020-27650 MEDIUM

CVE-2020-27650

Vendor Synology
Product DiskStation Manager (DSM)
Weakness CWE-614 · Cookie without Secure flag
Published October 29, 2020
Last update September 16, 2024

CVSS base score

5.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

Key dates

02Disclosure timeline

October 29, 2020 CVE published
September 16, 2024 Record updated