CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-50631: Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the system syncing daemon in Synology Drive...

7.5 CVSS

Description

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the system syncing daemon in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to inject SQL commands, limited to write operations, via unspecified vectors.

Classification

CVE ID: CVE-2024-50631

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem Types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected Products

Vendor: Synology

Product: Synology Drive Server

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.25% (scored less or equal to compared to others)

EPSS Date: 2025-04-17 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-50631
https://www.synology.com/en-global/security/advisory/Synology_SA_24_21

Timeline

2025-03-19 06:40:15 UTC
CVE

Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the system syncing daemon in Synology Drive...