Home

Description

A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files.

PUBLISHED Reserved 2025-03-12 | Published 2025-12-04 | Updated 2025-12-04 | Assigner synology




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
affected

1.3 (semver) before 1.3.1-9346-13
affected

Any version before 1.3
unknown

Credits

Qian Chen (@cq674350529) from Codesafe Team of Legendsec at QI-ANXIN Group finder

References

www.synology.com/...obal/security/advisory/Synology_SA_25_04 (Synology-SA-25:04 SRM) vendor-advisory

cve.org (CVE-2025-29845)

nvd.nist.gov (CVE-2025-29845)