CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-22168 – Cross-Site Scripting (XSS) vulnerability on Western Digital My Cloud and SanDisk ibi Web Apps
https://notcve.org/view.php?id=CVE-2024-22168
24 Jun 2024 — A Cross-Site Scripting (XSS) vulnerability on the My Cloud, My Cloud Home, SanDisk ibi, and WD Cloud web apps was found which could allow an attacker to redirect the user to a crafted domain and reset their credentials, or to execute arbitrary client-side code in the user’s browser session to carry out malicious activities.The web apps for these devices have been automatically updated to resolve this vulnerability and improve the security of your devices and data. • https://www.westerndigital.com/support/product-security/wdc-24003-western-digital-my-cloud-os-5-my-cloud-home-sandisk-ibi-and-wd-cloud-web-app-update • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22167 – SanDisk PrivateAccess DLL Hijacking Vulnerability
https://notcve.org/view.php?id=CVE-2024-22167
13 Mar 2024 — A potential DLL hijacking vulnerability in the SanDisk PrivateAccess application for Windows that could lead to arbitrary code execution in the context of the system user. This vulnerability is only exploitable locally if an attacker has access to a copy of the user's vault or has already gained access into a user's system. This attack is limited to the system in context and cannot be propagated. Una posible vulnerabilidad de secuestro de DLL en la aplicación SanDisk PrivateAccess para Windows que podría pr... • https://www.westerndigital.com/support/product-security/wdc-24002-sandisk-privateaccess-desktop-app-v-6-4-11 • CWE-427: Uncontrolled Search Path Element •
CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 1NotCVE-2023-0003 – RSA signature verification bypass via Arbitrary Code Execution in Sansa Connect bootloader
https://notcve.org/view.php?id=NotCVE-2023-0003
06 Dec 2023 — Sansa Connect bootloader does not validate RSA signature multiprecision integer (MPI) length. Attacker can supply image that combined with specific MPI length leads to Arbitrary Code Execution via overwritten return address on stack. • https://github.com/desowin/zsitool/blob/master/exploit.md • CWE-121: Stack-based Buffer Overflow •
CVSS: 8.1EPSS: 23%CPEs: 3EXPL: 1CVE-2021-36750
https://notcve.org/view.php?id=CVE-2021-36750
22 Dec 2021 — ENC DataVault before 7.2 and VaultAPI v67 mishandle key derivation, making it easier for attackers to determine the passwords of all DataVault users (across USB drives sold under multiple brand names). ENC DataVault antes de la versión 7.2 y VaultAPI v67 manejan mal la derivación de claves, lo que facilita a los atacantes determinar las contraseñas de todos los usuarios de DataVault (a través de las unidades USB vendidas bajo múltiples marcas) • https://github.com/mamba-4-ever/CVE-2021-36750 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2019-13467
https://notcve.org/view.php?id=CVE-2019-13467
30 Sep 2019 — Description: Western Digital SSD Dashboard before 2.5.1.0 and SanDisk SSD Dashboard before 2.5.1.0 applications are potentially vulnerable to man-in-the-middle attacks when the applications download resources from the Dashboard web service. This vulnerability may allow an attacker to substitute downloaded resources with arbitrary files. Descripción: Western Digital SSD Dashboard versiones anteriores a 2.5.1.0 y SanDisk SSD Dashboard versiones anteriores a 2.5.1.0, las aplicaciones son potencialmente vulnera... • https://support.wdc.com/downloads.aspx?g=907&lang=en •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-13466
https://notcve.org/view.php?id=CVE-2019-13466
30 Sep 2019 — Western Digital SSD Dashboard before 2.5.1.0 and SanDisk SSD Dashboard before 2.5.1.0 have Incorrect Access Control. The “generate reports” archive is protected with a hard-coded password. An application update that addresses the protection of archive encryption is available. El panel de Western Digital SSD anterior a la versión 2.5.1.0 y el panel de SanDisk SSD anterior a la versión 2.5.1.0 tienen un control de acceso incorrecto. El archivo "generar informes" está protegido con una contraseña codificada. • https://support.wdc.com/downloads.aspx?g=907&lang=en • CWE-798: Use of Hard-coded Credentials •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16560
https://notcve.org/view.php?id=CVE-2017-16560
16 Nov 2017 — SanDisk Secure Access 3.01 vault decrypts and copies encrypted files to a temporary folder, where they can remain indefinitely in certain situations, such as if the file is being edited when the user exits the application or if the application crashes. SanDisk Secure Access 3.01 descifra y copia archivos cifrados en una carpeta temporal, donde pueden permanecer indefinidamente en determinadas situaciones. por ejemplo, si el archivo se está editando cuando el usuario sale de la aplicación o si la aplicación ... • https://medium.com/%40esterling_/cve-2017-16560-sandisk-secure-access-leaves-plain-text-copies-of-files-on-disk-4eabeca6bdbc • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 4.6EPSS: 0%CPEs: 2EXPL: 0CVE-2010-0225
https://notcve.org/view.php?id=CVE-2010-0225
07 Jan 2010 — SanDisk Cruzer Enterprise USB flash drives use a fixed 256-bit key for obtaining access to the cleartext drive contents, which makes it easier for physically proximate attackers to read or modify data by determining and providing this key. Los dispositivos flash USB SanDisk Cruzer Enterprise utilizan una solución de clave de 256-bit para obtener acceso al contenido del dispositivo en texto plano, lo que hace más fácil a atacantes físicamente próximos leer o modificar información determinando y proporcionand... • http://blogs.zdnet.com/hardware/?p=6655 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2010-0224
https://notcve.org/view.php?id=CVE-2010-0224
07 Jan 2010 — SanDisk Cruzer Enterprise USB flash drives validate passwords with a program running on the host computer rather than the device hardware, which allows physically proximate attackers to access the cleartext drive contents via a modified program. Los dispositivos USB SanDisk Cruzer Enterprise validan las contraseñas con un programa que se ejecuta en el ordenador anfitrión y no en el propio dispositivo, lo que permite a atacantes cercanos físicamente, acceder a los contenidos del dispositivo mediante un progr... • http://blogs.zdnet.com/hardware/?p=6655 • CWE-255: Credentials Management Errors •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2010-0226
https://notcve.org/view.php?id=CVE-2010-0226
07 Jan 2010 — SanDisk Cruzer Enterprise USB flash drives do not prevent password replay attacks, which allows physically proximate attackers to access the cleartext drive contents by providing a key that was captured in a USB data stream at an earlier time. Dispositivos flash USB SanDisk Cruzer Enterprise no previenen los ataques de repetición de contraseña, lo que permite a atacantes físicamente próximos acceder al contenido del dispositivo en texto plano proporcionando una clave que fue capturada en un flujo de datos U... • http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009 • CWE-255: Credentials Management Errors •