A security vulnerability relating to Synergetic SynWeb was very recently identified. With the right technical knowledge and under certain conditions, it may be possible for someone to login to SynWeb with elevated permissions. The issue affects clients running v69 & v70 together with SAML authentication.
A critical hotfix was created through an update to a core SynWeb binary file Synergetic.SynWeb.Web.dll. The hotfix will be delivered automatically via the updater.
The hotfix can be applied manually if required. The file must be replaced with the fixed version, then the IIS website application pool recycled for the new dll to be applied. The file replacement and application pool restart will lead to a brief outage of the SynWeb service which is estimated to be a period of around one minute. Anyone already connected to SynWeb during this time will have their session dropped and will be able to log in again once the website application pool restarts. This patch does not require any downtime for other Synergetic products.
Successful application of the hotfix can be verified by checking the Windows Event Viewer. Check for source 'SynWebFileUpdateHotfix' and there should be an entry with EventID '1010' stating the hotfix was successfully applied and the file path. Additionally the file 'Synergetic.SynWeb.Web.dll' located in the 'bin' folder will have a modified date set to 12/01/2021.
Hotfix file for each version