// For flags

CVE-2017-17560

Western Digital MyCloud multi_uploadify File Upload Vulnerability

Severity Score

9.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php, provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.

Se ha descubierto un error en los dispositivos Western Digital MyCloud PR4100 2.30.172. El componente de administración web, /web/jquery/uploader/multi_uploadify.php, proporciona una funcionalidad de subida multiparte accesible sin autenticación. Esta característica puede emplearse para colocar un archivo en cualquier parte del sistema de archivos del dispositivo. Esto permite que un atacante pueda subir un shell PHP en el dispositivo y ejecutar código arbitrario como root.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-07-29 First Exploit
  • 2017-12-12 CVE Reserved
  • 2017-12-12 CVE Published
  • 2023-11-22 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-287: Improper Authentication
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Westerndigital
Search vendor "Westerndigital"
 My Cloud Pr4100 Firmware
Search vendor "Westerndigital" for product "My Cloud Pr4100 Firmware"
 2.30.172
Search vendor "Westerndigital" for product "My Cloud Pr4100 Firmware" and version "2.30.172"
-
Affected
in Westerndigital
Search vendor "Westerndigital"
 My Cloud Pr4100
Search vendor "Westerndigital" for product "My Cloud Pr4100"
--
Safe