Page 4 of 28 results (0.002 seconds)

CVSS: 4.6EPSS: 0%CPEs: 11EXPL: 0

Improper Authentication vulnerability in the encrypted volumes and auto mount features of Western Digital My Cloud devices allows insecure direct access to the drive information in the case of a device reset. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux. La vulnerabilidad de autenticación inadecuada en los volúmenes cifrados y las funciones de montaje automático de los dispositivos Western Digital My Cloud permite un acceso directo inseguro a la información de la unidad en el caso de un reinicio del dispositivo. Este problema afecta: Versiones de Western Digital My Cloud My Cloud anteriores a la 5.25.124 en Linux. • https://www.westerndigital.com/support/product-security/wdc-22019-my-cloud-firmware-version-5-25-124 • CWE-287: Improper Authentication •

CVSS: 8.2EPSS: 0%CPEs: 16EXPL: 0

Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components. Los dispositivos My Cloud de Western Digital son susceptibles a una vulnerabilidad de tipo cross side scripting que puede permitir a un usuario malicioso con altos privilegios acceder a las unidades de las que está haciéndose una copia de seguridad para construir e inyectar cargas útiles de JavaScript en el navegador de un usuario autenticado. Como resultado, puede ser posible conseguir el control de la sesión autenticada, robar datos, modificar la configuración o redirigir al usuario a sitios web maliciosos. • https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 0

The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an "SSL" context instead of "TLS" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability. • https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114 • CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') •

CVSS: 10.0EPSS: 0%CPEs: 26EXPL: 0

The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code. La combinación de primitivas que ofrecen SMB y AFP en su configuración por defecto permite la escritura arbitraria de archivos. Al explotar esta combinación de primitivas, un atacante puede ejecutar código arbitrario • https://lists.debian.org/debian-lts-announce/2024/01/msg00000.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/55ROUJI22SHZX5EM23QAILZHI67EZQKW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T5CZZLFOTUP3QYHGHSDUNENGSLPJ6KGO https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XO34FWOIJI6V6PH2XY52WNBBARVWPJG2 https://security.gentoo.org/glsa/202311-02 https://www.westerndigital.com/support/product-security/wdc& • CWE-59: Improper Link Resolution Before File Access ('Link Following') •

CVSS: 9.8EPSS: 5%CPEs: 11EXPL: 0

A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP. Se ha detectado una vulnerabilidad de ejecución de código remota en los dispositivos My Cloud de Western Digital donde un atacante podía engañar a un dispositivo NAS para cargar mediante una llamada HTTP no segura. Esto era el resultado de una verificación insuficiente de las llamadas al dispositivo. • https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 https://www.zerodayinitiative.com/advisories/ZDI-22-349 • CWE-345: Insufficient Verification of Data Authenticity •