Vulnerabilities > Westerndigital
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-10 | CVE-2022-29840 | Server-Side Request Forgery (SSRF) vulnerability in Westerndigital MY Cloud OS Server-Side Request Forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback adapter was addressed in Western Digital My Cloud OS 5 devices. | 5.5 |
| 2023-05-10 | CVE-2022-29841 | OS Command Injection vulnerability in Westerndigital MY Cloud OS Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that was caused by a command that read files from a privileged location and created a system command without sanitizing the read data. | 9.8 |
| 2023-05-10 | CVE-2022-29842 | Command Injection vulnerability in Westerndigital MY Cloud OS Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability that could allow an attacker to execute code in the context of the root user on a vulnerable CGI file was discovered in Western Digital My Cloud OS 5 devicesThis issue affects My Cloud OS 5: before 5.26.119. | 9.8 |
| 2023-05-10 | CVE-2022-36329 | Unspecified vulnerability in Westerndigital products An improper privilege management issue that could allow an attacker to cause a denial of service over the OTA mechanism was discovered in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191. | 7.5 |
| 2023-05-10 | CVE-2022-36330 | Classic Buffer Overflow vulnerability in Westerndigital products A buffer overflow vulnerability was discovered on firmware version validation that could lead to an unauthenticated remote code execution in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices. | 8.1 |
| 2023-05-08 | CVE-2023-22813 | Missing Authorization vulnerability in Westerndigital products A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. | 4.3 |
| 2023-03-24 | CVE-2023-22812 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Westerndigital Sandisk Privateaccess SanDisk PrivateAccess versions prior to 6.4.9 support insecure TLS 1.0 and TLS 1.1 protocols which are susceptible to man-in-the-middle attacks thereby compromising confidentiality and integrity of data. | 7.4 |
| 2023-02-06 | CVE-2021-36224 | Use of Hard-coded Credentials vulnerability in Westerndigital MY Cloud OS Western Digital My Cloud devices before OS5 have a nobody account with a blank password. | 9.8 |
| 2023-02-06 | CVE-2021-36225 | Missing Authorization vulnerability in Westerndigital MY Cloud OS Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation. | 8.8 |
| 2023-02-06 | CVE-2021-36226 | Improper Verification of Cryptographic Signature vulnerability in Westerndigital MY Cloud OS Western Digital My Cloud devices before OS5 do not use cryptographically signed Firmware upgrade files. | 9.8 |