An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.
Published 2017-07-24 20:29:00
Updated 2018-01-12 02:29:04
Source Synology Inc.
View at NVD,   CVE.org
Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2017-9554

2.95%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 89 %
Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2017-9554

  • Synology Forget Password User Enumeration Scanner
    Disclosure Date: 2011-01-05
    First seen: 2020-05-22
    auxiliary/scanner/http/synology_forget_passwd_user_enum
    This module attempts to enumerate users on the Synology NAS by sending GET requests for the forgot password URL. The Synology NAS will respond differently if a user is present or not. These count as login attempts, and the default is 10 logins in 5min to

CVSS scores for CVE-2017-9554

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
5.0
MEDIUM AV:N/AC:L/Au:N/C:P/I:N/A:N
10.0
2.9
NIST
5.3
MEDIUM CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
3.9
1.4
NIST

CWE ids for CVE-2017-9554

References for CVE-2017-9554

Products affected by CVE-2017-9554

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!