CVE-2024-39351

Published: Jun 28, 2024Modified: Apr 10, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

A vulnerability regarding improper neutralization of special elements used in an OS command ('OS Command Injection') is found in the NTP configuration. This allows remote authenticated users with administrator privileges to execute arbitrary commands via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.

Affected (2)

Products: Synology: Bc500 Firmware, Tc500 Firmware

2 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Synology Bc500 Firmware	Before 1.0.7-0298

Running on/with	Platform Versions
Synology Bc500	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Synology Tc500 Firmware	Before 1.0.7-0298

Running on/with	Platform Versions
Synology Tc500	All versions

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://www.synology.com/en-global/security/advisory/Synology_SA_23_15

Source: security@synology.com

Vendor Advisory

https://www.synology.com/en-global/security/advisory/Synology_SA_23_15

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.