7.5
CVE-2024-50631
- EPSS 1.06%
- Veröffentlicht 19.03.2025 05:50:08
- Zuletzt bearbeitet 16.01.2026 15:26:43
- Quelle security@synology.com
- CVE-Watchlists
- Unerledigt
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the system syncing daemon in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to inject SQL commands, limited to write operations, via unspecified vectors.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Synology ≫ Drive Server Version < 3.0.4-12699
Synology ≫ Drive Server Version < 3.2.1-23280
Synology ≫ Drive Server Version < 3.5.0-26085
Synology ≫ Drive Server Version < 3.5.1-26102
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.06% | 0.777 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@synology.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.