Note:
This project will be discontinued after December 13, 2021. [more]
Product:
My_cloud_os_5
(Westerndigital)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 8 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-05-18 | CVE-2022-36327 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires an authentication bypass issue to be triggered before this can be exploited. This issue affects My Cloud Home and My Cloud Home... | My_cloud_home_duo_firmware, My_cloud_home_firmware, My_cloud_os_5, Sandisk_ibi_firmware | 9.8 | ||
| 2023-05-18 | CVE-2022-36326 | An uncontrolled resource consumption vulnerability issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This issue requires the attacker to already have root privileges in order to exploit this vulnerability.This issue affects My Cloud Home and My Cloud Home... | My_cloud_home_duo_firmware, My_cloud_home_firmware, My_cloud_os_5, Sandisk_ibi_firmware | 4.9 | ||
| 2023-05-18 | CVE-2022-36328 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or... | My_cloud_home_duo_firmware, My_cloud_home_firmware, My_cloud_os_5, Sandisk_ibi_firmware | 4.9 | ||
| 2023-05-08 | CVE-2023-22813 | A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an... | My_cloud, My_cloud_home, My_cloud_os_5, Sandisk_ibi | 4.3 | ||
| 2020-12-12 | CVE-2020-29563 | An issue was discovered on Western Digital My Cloud OS 5 devices before 5.07.118. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to gain access to the device. | My_cloud_os_5 | 9.8 | ||
| 2020-12-01 | CVE-2020-28940 | On Western Digital My Cloud OS 5 devices before 5.06.115, the NAS Admin dashboard has an authentication bypass vulnerability that could allow an unauthenticated user to execute privileged commands on the device. | My_cloud_os_5 | 9.8 | ||
| 2020-12-01 | CVE-2020-28970 | An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie. (In addition, an upload endpoint could then be used by an authenticated administrator to upload executable PHP scripts.) | My_cloud_os_5 | 9.8 | ||
| 2020-12-01 | CVE-2020-28971 | An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie, because of insufficient validation of URI paths. | My_cloud_os_5 | 9.8 |