Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Router_manager | Synology | 1.2 (including) | 1.2.4-8081 (excluding) |