CVSS: 8.3EPSS: 0%CPEs: 3EXPL: 1CVE-2020-27652
https://notcve.org/view.php?id=CVE-2020-27652
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors. Una vulnerabilidad de degradación del Algoritmo en QuickConnect en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-2, permite a atacantes de tipo man-in-the-middle falsificar servidores y obtener información confidencial por medio de vectores no especificados • https://www.synology.com/security/advisory/Synology_SA_20_18 https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1061 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-27650
https://notcve.org/view.php?id=CVE-2020-27650
Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session. Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-2 no establece el flag Secure para la cookie de sesión en una sesión HTTPS, lo que hace más fácil a atacantes remotos capturar esta cookie al interceptar su transmisión dentro de una sesión HTTP • https://www.synology.com/security/advisory/Synology_SA_20_18 • CWE-311: Missing Encryption of Sensitive Data CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 1CVE-2020-27648
https://notcve.org/view.php?id=CVE-2020-27648
Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. Una vulnerabilidad de comprobación inapropiada del certificado en OpenVPN client en Synology DiskStation Manager (DSM) versiones anteriores a 6.2.3-25426-2, permite a atacantes de tipo man-in-the-middle falsificar servidores y obtener información confidencial por medio de un certificado diseñado • https://www.synology.com/security/advisory/Synology_SA_20_18 https://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1058 • CWE-295: Improper Certificate Validation •