Vulnerabilities > Drobo > 5N2 > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-12-03 CVE-2018-14709 Improper Authentication vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115
Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation.
network
low complexity
drobo CWE-287
5.0
2018-12-03 CVE-2018-14704 Cross-site Scripting vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115
Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path.
network
drobo CWE-79
4.3
2018-12-03 CVE-2018-14703 Incorrect Permission Assignment for Critical Resource vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115
Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password.
network
low complexity
drobo CWE-732
5.0
2018-12-03 CVE-2018-14702 Information Exposure vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115
Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.
network
low complexity
drobo CWE-200
5.0
2018-12-03 CVE-2018-14700 Information Exposure Through Log Files vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115
Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter.
network
low complexity
drobo CWE-532
5.0
2018-12-03 CVE-2018-14698 Cross-site Scripting vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115
Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the "username" URL parameter.
network
drobo CWE-79
4.3
2018-12-03 CVE-2018-14697 Cross-site Scripting vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115
Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the username URL parameter.
network
drobo CWE-79
4.3
2018-12-03 CVE-2018-14696 Information Exposure vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115
Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.
network
low complexity
drobo CWE-200
5.0
2018-12-03 CVE-2018-14695 Information Exposure vulnerability in Drobo 5N2 Firmware 4.0.513.28.96115
Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the "name" URL parameter.
network
low complexity
drobo CWE-200
5.0