CVE-2024-29228 HIGH

CVE-2024-29228

Vendor Synology

Product Surveillance Station

Weakness CWE-862 · Missing authorization

Published March 28, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

Missing authorization vulnerability in GetStmUrlPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors.

Key dates

02Disclosure timeline

March 28, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-29228 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2025-9029 WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder <= 1.2.16 - Missing Authentication via wdkit_handle_review_submission Function CVE-2025-22737 WordPress WpTravelly Plugin <= 1.8.5 - Broken Access Control vulnerability CVE-2024-43341 WordPress Hello Agency theme <= 1.0.5 - Broken Access Control vulnerability CVE-2025-31606 WordPress SP Blog Designer plugin <= 1.0.0 - Arbitrary Shortcode Execution vulnerability CVE-2024-13231 WordPress Portfolio Builder – Portfolio Gallery <= 1.1.7 - Missing Authorization to Unauthenticated Portfolio Update

Identifiers

CVE CVE-2024-29228

CWE CWE-862

CVSS 7.7 / HIGH

Affected versions

Vendor Synology

Product Surveillance Station

Affected < 9.2.0-9289

Vendor Synology

Product Surveillance Station

Affected < 9.2.0-11289