MidnightBSD

Advisories for synametrics

CVE-2015-3140 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies SynaMan before 3.5 Build 1451, Syncrify before 3.7 Build 856, and SynTail before 1.5 Build 567

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
synametrics syncrify 3.1
synametrics syncrify 3.6
synametrics syncrify 2.4
synametrics synaman 2.7
synametrics synaman 1.1
synametrics synaman 3.0
synametrics syntail 1.2
synametrics syncrify 2.1
synametrics syncrify 2.5
synametrics syncrify 2.2
synametrics syncrify 3.4
synametrics synaman 2.1
synametrics synaman 2.2
synametrics synaman 2.3
synametrics synaman 3.1
synametrics syncrify 3.5
synametrics syntail 1.1
synametrics syntail 1.0
synametrics synaman 3.2
synametrics syncrify 3.3
synametrics syncrify 1.3
synametrics synaman 2.4
synametrics synaman 1.0
synametrics synaman 3.3
synametrics syncrify 3.0
synametrics syntail 1.5
synametrics synaman 3.4
synametrics synaman 2.5
synametrics syncrify 3.7
synametrics syncrify 1.4
synametrics syncrify 2.0
synametrics synaman 2.6
synametrics syncrify 2.6
synametrics syncrify 3.2
synametrics syncrify 2.3
synametrics synaman 2.0
CVE-2015-3141 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies Xeams 4.5 Build 5755 and earlier allow remote attackers to hijack the authentication of administrators for requests that create an (1) SMTP domain or a (2) user via a request to /FrontController; or conduct cross-site scripting (XSS) attacks via the (3) domainname parameter to /FrontController, when creating a new SMTP domain configuration; the (4) txtRecipient parameter to /FrontController, when creating a new forwarder; the (5) popFetchServer, (6) popFetchUser, or (7) popFetchRecipient parameter to /FrontController, when creating a new POP3 Fetcher account; or the (8) Smtp HELO domain in the Advanced Server Configuration.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
synametrics xeams *
CVE-2018-10763 LOW

Multiple cross-site scripting (XSS) vulnerabilities in Synametrics SynaMan 4.0 build 1488 via the (1) Main heading or (2) Sub heading fields in the Partial Branding configuration page.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
synametrics synaman 4.0
CVE-2018-10814 LOW

Synametrics SynaMan 4.0 build 1488 uses cleartext password storage for SMTP credentials.

CVSS 2.0

Severity: LOW

Problem Type: CWE-522,

Products Affected

Vendor Product Version
synametrics synaman 4.0
CVE-2022-22828 MEDIUM

An insecure direct object reference for the file-download URL in Synametrics SynaMan before 5.0 allows a remote attacker to access unshared files via a modified base64-encoded filename string.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-639,

Products Affected

Vendor Product Version
synametrics synaman *
CVE-2022-26250 MEDIUM

Synaman v5.1 and below was discovered to contain weak file permissions which allows authenticated attackers to escalate privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-732,

Products Affected

Vendor Product Version
synametrics synaman *
CVE-2022-26251 HIGH

The HTTP interface of Synaman v5.1 and below was discovered to allow authenticated attackers to execute arbitrary code and escalate privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-269,

Products Affected

Vendor Product Version
synametrics synaman *