CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2022-29839 – Remote Backups Application Discloses Stored Credentials
https://notcve.org/view.php?id=CVE-2022-29839
09 Dec 2022 — Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has gained access to a relevant endpoint to use that information to access protected data. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux. Vulnerabilidad de credenciales insuficientemente protegidas en la aplicación de copias de seguridad remotas en dispositivos Western Digital My Cloud que podría permitir que un ... • https://www.westerndigital.com/support/product-security/wdc-22019-my-cloud-firmware-version-5-25-124 • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2022-22994 – Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability on Western Digital My Cloud devices.
https://notcve.org/view.php?id=CVE-2022-22994
28 Jan 2022 — A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP. Se ha detectado una vulnerabilidad de ejecución de código remota en los dispositivos My Cloud de Western Digital donde un atacante podía engañar a un dispositivo NAS para cargar... • https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 0CVE-2022-22993 – Limited Server-Side Request Forgery vulnerability on Western Digital My Cloud devices.
https://notcve.org/view.php?id=CVE-2022-22993
28 Jan 2022 — A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters. Se ha detectado una vulnerabilidad de tipo SSRF limitada en los dispositivos My Cloud de Western Digital que podía permitir a un atacante hacerse pasar por un servidor y llegar a cualquier página del mismo omitiendo los controles de acces... • https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 11EXPL: 0CVE-2022-22992 – Command Injection Remote Code Execution vulnerability on Western Digital My Cloud devices.
https://notcve.org/view.php?id=CVE-2022-22992
17 Jan 2022 — A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary system commands on the device. The vulnerability was addressed by escaping individual arguments to shell functions coming from user input. Se ha detectado una vulnerabilidad de ejecución de código remota por inyección de comandos en los dispositivos My Cloud de Western Digital que podría permitir a un atacante ejecutar comandos arbitrarios del sistema e... • https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 8.8EPSS: 2%CPEs: 11EXPL: 0CVE-2022-22990 – Limited authentication bypass vulnerability on Western Digital My Cloud devices
https://notcve.org/view.php?id=CVE-2022-22990
13 Jan 2022 — A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts. Se ha detectado una vulnerabilidad de omisión de autenticación limitada que podría permitir a un atacante lograr una ejecución de código remota y escalar privilegios en los dispositivos My Cloud. Se ha abordado esta vulnerabilid... • https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 • CWE-287: Improper Authentication CWE-697: Incorrect Comparison •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 0CVE-2022-22991 – Command injection through unsecured HTTP calls on Western Digital My Cloud devices
https://notcve.org/view.php?id=CVE-2022-22991
13 Jan 2022 — A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP. Un usuario malicioso en la misma LAN podría usar una suplantación de DNS seguida de un ataque de inyección de comandos para engañar a un dispositivo NAS para que sea cargado mediante una llamada HTTP no segura. Se ha abordado esta vulnerabilidad al deshabilitar l... • https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 1%CPEs: 11EXPL: 0CVE-2022-22989 – Pre-authenticated stack overflow vulnerability on FTP Service
https://notcve.org/view.php?id=CVE-2022-22989
13 Jan 2022 — My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service that could be exploited by unauthenticated attackers on the network. Addressed the vulnerability by adding defenses against stack overflow issues. Mi Cloud OS 5 era vulnerable a una vulnerabilidad de desbordamiento de pila preautenticada en el servicio FTP. Se abordó la vulnerabilidad añadiendo defensas contra los problemas de desbordamiento de pila • https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 1%CPEs: 9EXPL: 1CVE-2021-3310 – Western Digital MyCloud PR4100 Link Resolution Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-3310
10 Mar 2021 — Western Digital My Cloud OS 5 devices before 5.10.122 mishandle Symbolic Link Following on SMB and AFP shares. This can lead to code execution and information disclosure (by reading local files). Los dispositivos Western Digital My Cloud OS 5 versiones anteriores a 5.10.122, manejan inapropiadamente recursos compartidos de Symbolic Link Following en SMB y AFP. Esto puede conllevar a una ejecución de código y divulgación de información (mediante la lectura de archivos locales) This vulnerability allows ... • https://github.com/piffd0s/CVE-2021-3310 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •