CVE-2024-45538 PUBLISHED

Assigner: synology
Reserved: 02.09.2024 Published: 04.12.2025 Updated: 04.12.2025

Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS Score: 9.6

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Synology
Product	DiskStation Manager (DSM)
Versions	Default: affected affected from 7.2.2 to 7.2.2-72806 (excl.) affected from 7.2.1 to 7.2.1-69057-2 (excl.) unknown from 0 to 7.2.1 (excl.)

Vendor	Synology
Product	Unified Controller (DSMUC)
Versions	Default: affected affected from 3.1 to 3.1.4-23079 (excl.) unknown from 0 to 3.1 (excl.)

Credits

Steven Lin ( https://x.com/5teven1in ) finder

References

Synology-SA-24:27 DSM

Problem Types

Cross-Site Request Forgery (CSRF) CWE