CVE-2017-16775

CVSS 7.1 HIGHEPSS 1.1%CWE-1021

In short

Synology SSO Server fails to properly protect against clickjacking attacks, where attackers can trick users into clicking hidden buttons or links by overlaying fake UI elements on top of legitimate ones.

Technical detail

CWE-1021 vulnerability in SSOOauth.cgi lacks proper frame-busting or X-Frame-Options headers, enabling remote attackers to embed the application in a malicious iframe and perform clickjacking attacks without authentication requirements.

Summary generated and translated by AI from the official description.

Improper restriction of rendered UI layers or frames vulnerability in SSOOauth.cgi in Synology SSO Server before 2.1.3-0129 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Affected products

Synology · SSO Server

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.synology.com/security/advisory/Synology_SA_18_28