Cybersecurity specialists reported the finding of two critical vulnerabilities in Safe Access, the online security threat solution employed by some routers and NAS systems of technology company Synology. Successful exploitation of these vulnerabilities would allow threat actors to deploy XSS attacks or execute arbitrary code on affected systems.

Below are brief descriptions of reported failures, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2020-27659: The vulnerability exists due to insufficient disinfection of user-provided data in the domain or profile parameter. Remote threat actors could trick victims into sending specially designed links and running HTML code and arbitrary script in the target user’s browser.

The flaw received a score of 4.7/10 and its exploitation would allow threat actors to steal information, deploy phishing attacks and even modify the appearance of an attacked website. 

CVE-2020-27660: Insufficient disinfection of user input through the domain parameter in request.cgi would allow remote hackers to send specially designed requests to execute arbitrary SQL commands on the target system.

The flaw received a score of 8.5/10 and its successful exploitation would allow threat actors to read, delete and modify the data in an affected application.

According to reports, failures reside in all versions of Safe Access prior to v1.2.3-0234.

Although the flaws can be exploited by remote threat actors, cybersecurity specialists have not detected attempts at active exploitation or the existence of a malware variant linked to this attack.

Synology has already released the required security patches, so users of affected installations are advised to update as soon as possible.