Page 3 of 11 results (0.003 seconds)

CVSS: 10.0EPSS: 97%CPEs: 2EXPL: 2

An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php, provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root. Se ha descubierto un error en los dispositivos Western Digital MyCloud PR4100 2.30.172. El componente de administración web, /web/jquery/uploader/multi_uploadify.php, proporciona una funcionalidad de subida multiparte accesible sin autenticación. • https://www.exploit-db.com/exploits/43356 https://download.exploitee.rs/file/generic/Exploiteers-DEFCON25.pdf https://github.com/rapid7/metasploit-framework/pull/9248 https://www.exploitee.rs/index.php/Western_Digital_MyCloud#.2Fjquery.2Fuploader.2Fmulti_uploadify.php_.28added_08.2F06.2F2017.29 https://www.youtube.com/watch?v=EO_49pfmA5A • CWE-287: Improper Authentication •