CVSS: 10.0EPSS: 0%CPEs: 11EXPL: 0CVE-2022-29841 – OS Command Injection vulnerability in Western Digital My Cloud devices
https://notcve.org/view.php?id=CVE-2022-29841
10 May 2023 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that was caused by a command that read files from a privileged location and created a system command without sanitizing the read data. This command could be triggered by an attacker remotely to cause code execution and gain a reverse shell in Western Digital My Cloud OS 5 devices.This issue affects My Cloud OS 5: before 5.26.119. This vulnerability allows remote attackers to execute arbitrary code on aff... • https://www.westerndigital.com/support/product-security/wdc-23002-my-cloud-firmware-version-5-26-119 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 11EXPL: 0CVE-2022-29842 – Command Injection Vulnerability in Western Digital My Cloud devices
https://notcve.org/view.php?id=CVE-2022-29842
10 May 2023 — Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability that could allow an attacker to execute code in the context of the root user on a vulnerable CGI file was discovered in Western Digital My Cloud OS 5 devicesThis issue affects My Cloud OS 5: before 5.26.119. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Western Digital MyCloud PR4100 NAS devices. Authentication is not required to exploit this vulnera... • https://www.westerndigital.com/support/product-security/wdc-23002-my-cloud-firmware-version-5-26-119 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 16EXPL: 0CVE-2022-29843 – Western Digital My Cloud OS 5 devices Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-29843
25 Jan 2023 — A command injection vulnerability in the DDNS service configuration of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to execute code in the context of the root user. Una vulnerabilidad de inyección de comandos en la configuración del servicio DDNS de dispositivos Western Digital My Cloud OS 5 que ejecutan versiones de firmware anteriores a la 5.26.119 permite a un atacante ejecutar código en el contexto del usuario root. This vulnerability allows networ... • https://www.westerndigital.com/en-in/support/product-security/wdc-23002-my-cloud-firmware-version-5-26-119 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 16EXPL: 0CVE-2022-29844 – Western Digital My Cloud OS 5 arbitrary file read and write vulnerability via ftp
https://notcve.org/view.php?id=CVE-2022-29844
25 Jan 2023 — A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker. Una vulnerabilidad en el servicio FTP de los dispositivos Western Digital My Cloud OS 5 que ejecutan versiones de firmware anteriores a la 5.26.119 permite a un atacante leer y escribir archivos arbitrarios. Esto podría provocar un com... • https://www.westerndigital.com/en-in/support/product-security/wdc-23002-my-cloud-firmware-version-5-26-119 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 4.9EPSS: 0%CPEs: 11EXPL: 0CVE-2022-29838 – Authentication issue with the encrypted volumes and auto mount feature in My Cloud devices
https://notcve.org/view.php?id=CVE-2022-29838
09 Dec 2022 — Improper Authentication vulnerability in the encrypted volumes and auto mount features of Western Digital My Cloud devices allows insecure direct access to the drive information in the case of a device reset. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux. La vulnerabilidad de autenticación inadecuada en los volúmenes cifrados y las funciones de montaje automático de los dispositivos Western Digital My Cloud permite un acceso directo inseguro a la información de la... • https://www.westerndigital.com/support/product-security/wdc-22019-my-cloud-firmware-version-5-25-124 • CWE-287: Improper Authentication •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2022-29839 – Remote Backups Application Discloses Stored Credentials
https://notcve.org/view.php?id=CVE-2022-29839
09 Dec 2022 — Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has gained access to a relevant endpoint to use that information to access protected data. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux. Vulnerabilidad de credenciales insuficientemente protegidas en la aplicación de copias de seguridad remotas en dispositivos Western Digital My Cloud que podría permitir que un ... • https://www.westerndigital.com/support/product-security/wdc-22019-my-cloud-firmware-version-5-25-124 • CWE-522: Insufficiently Protected Credentials •
CVSS: 8.2EPSS: 0%CPEs: 16EXPL: 0CVE-2022-22999 – Cross-site Scripting Vulnerability in USB Backups App
https://notcve.org/view.php?id=CVE-2022-22999
25 Jul 2022 — Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components. Los dispositivos My Cloud de Western Digital so... • https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 0CVE-2022-23000 – Weak Default SSL use in Port Forwarding Service
https://notcve.org/view.php?id=CVE-2022-23000
25 Jul 2022 — The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an "SSL" context instead of "TLS" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. Th... • https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114 • CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') •
CVSS: 10.0EPSS: 1%CPEs: 26EXPL: 0CVE-2022-22995 – Western Digital My Cloud OS 5 and My Cloud Home Unauthenticated Arbitrary File Write Vulnerability in Netatalk
https://notcve.org/view.php?id=CVE-2022-22995
25 Mar 2022 — The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code. La combinación de primitivas que ofrecen SMB y AFP en su configuración por defecto permite la escritura arbitraria de archivos. Al explotar esta combinación de primitivas, un atacante puede ejecutar código arbitrario It was discovered that Netatalk did not properly protect an SMB and AFP default confi... • https://lists.debian.org/debian-lts-announce/2024/01/msg00000.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 9.8EPSS: 3%CPEs: 11EXPL: 0CVE-2022-22994 – Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability on Western Digital My Cloud devices.
https://notcve.org/view.php?id=CVE-2022-22994
28 Jan 2022 — A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP. Se ha detectado una vulnerabilidad de ejecución de código remota en los dispositivos My Cloud de Western Digital donde un atacante podía engañar a un dispositivo NAS para cargar... • https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 • CWE-345: Insufficient Verification of Data Authenticity •