Vulnerabilities > Drobo
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-02-24 | CVE-2018-14705 | Improper Authentication vulnerability in Drobo 5N2 Firmware 4.0.5 In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. | 9.8 |
2018-12-03 | CVE-2018-14709 | Improper Authentication vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115 Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation. | 9.8 |
2018-12-03 | CVE-2018-14708 | Improper Authentication vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115 An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic. | 9.8 |
2018-12-03 | CVE-2018-14707 | Path Traversal vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115 Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to upload files to arbitrary locations. | 7.5 |
2018-12-03 | CVE-2018-14706 | OS Command Injection vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115 System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request. | 9.8 |
2018-12-03 | CVE-2018-14704 | Cross-site Scripting vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115 Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path. | 6.1 |
2018-12-03 | CVE-2018-14703 | Incorrect Permission Assignment for Critical Resource vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115 Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password. | 9.8 |
2018-12-03 | CVE-2018-14702 | Information Exposure vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115 Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information. | 7.5 |
2018-12-03 | CVE-2018-14701 | OS Command Injection vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115 System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter. | 9.8 |
2018-12-03 | CVE-2018-14700 | Information Exposure Through Log Files vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115 Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter. | 7.5 |