Upstream information

CVE-2022-46165 at MITRE


Syncthing is an open source, continuous file synchronization program. In versions prior to 1.23.5 a compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name. If the owner of another device looks over the shared folder settings and moves the mouse over the latest sync, a script could be executed to change settings for shared folders or add devices automatically. Additionally adding a new device with a malicious name could embed HTML or JavaScript inside parts of the page. As a result the webUI may be subject to a stored cross site scripting attack. This issue has been addressed in version 1.23.5. Users are advised to upgrade. Users unable to upgrade should avoid sharing folders with untrusted users.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v3 Scores
  National Vulnerability Database SUSE
Base Score 4.6 4.6
Attack Vector Network Network
Attack Complexity Low Low
Privileges Required Low Low
User Interaction Required Required
Scope Unchanged Unchanged
Confidentiality Impact Low Low
Integrity Impact Low Low
Availability Impact None None
CVSSv3 Version 3.1 3.1
SUSE Bugzilla entry: 1212085 [IN_PROGRESS]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Package Hub 15 SP5
  • syncthing >= 1.23.5-bp155.2.3.1
  • syncthing-relaysrv >= 1.23.5-bp155.2.3.1
openSUSE Leap 15.5
  • syncthing >= 1.23.5-bp155.2.3.1
  • syncthing-relaysrv >= 1.23.5-bp155.2.3.1
openSUSE Tumbleweed
  • syncthing >= 1.23.5-1.1
  • syncthing-relaysrv >= 1.23.5-1.1

SUSE Timeline for this CVE

CVE page created: Tue Jun 6 22:00:53 2023
CVE page last modified: Sun Jun 16 02:31:56 2024