CVE-2021-47960 PUBLISHED

Assigner: synology
Reserved: 10.04.2026 Published: 10.04.2026 Updated: 10.04.2026

A files or directories accessible to external parties vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access files within the installation directory via a local HTTP server bound to the loopback interface. By leveraging user interaction with a crafted web page, attackers may retrieve sensitive files such as configuration files, certificates, and logs, leading to information disclosure.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Synology
Product	Synology SSL VPN Client
Versions	Default: affected affected from * to 1.4.5-0684 (excl.)

Credits

Laurent Sibilla (https://www.linkedin.com/in/lsibilla/) finder

References

Synology-SA-26:05 Synology SSL VPN Client

Problem Types

Files or Directories Accessible to External Parties CWE