Home

Description

A vulnerability in portenable cgi allows remote authenticated users to get the status of installed packages.

PUBLISHED Reserved 2025-03-12 | Published 2025-12-04 | Updated 2025-12-05 | Assigner synology




HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
affected

1.3 (semver) before 1.3.1-9346-13
affected

Any version before 1.3
unknown

Credits

Qian Chen (@cq674350529) from Codesafe Team of Legendsec at QI-ANXIN Group finder

References

www.synology.com/...obal/security/advisory/Synology_SA_25_04 (Synology-SA-25:04 SRM) vendor-advisory

cve.org (CVE-2025-29846)

nvd.nist.gov (CVE-2025-29846)