Westerndigital My_cloud_os
18 CVEs affecting Westerndigital My_cloud_os. Latest disclosed: 2023-07-01. Critical: 5, High: 8.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-22814 | Critical | 10.0 | 2023-07-01 | An authentication bypass issue via spoofing was discovered in the token-based authentication mechanism that could allow an attacker to carry out an impersonati… |
CVE-2022-29842 | Critical | 9.8 | 2023-05-10 | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability that could allow an attacker to execute code in the context o… |
CVE-2021-36226 | Critical | 9.8 | 2023-02-06 | Western Digital My Cloud devices before OS5 do not use cryptographically signed Firmware upgrade files. |
CVE-2021-36224 | Critical | 9.8 | 2023-02-06 | Western Digital My Cloud devices before OS5 have a nobody account with a blank password. |
CVE-2022-22989 | Critical | 9.8 | 2022-01-13 | My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service that could be exploited by unauthenticated attackers on the… |
CVE-2021-36225 | High | 8.8 | 2023-02-06 | Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installa… |
CVE-2022-22994 | High | 8.8 | 2022-01-28 | A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an uns… |
CVE-2022-29841 | High | 8.0 | 2023-05-10 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that was caused by a command that read files from a pr… |
CVE-2022-22993 | High | 7.8 | 2022-01-28 | A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the… |
CVE-2022-22992 | High | 7.8 | 2022-01-28 | A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary sy… |
CVE-2022-22991 | High | 7.8 | 2022-01-13 | A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP cal… |
CVE-2022-22990 | High | 7.8 | 2022-01-13 | A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cl… |
CVE-2021-3310 | High | 7.8 | 2021-03-10 | Western Digital My Cloud OS 5 devices before 5.10.122 mishandle Symbolic Link Following on SMB and AFP shares. This can lead to code execution and information… |
CVE-2023-22815 | Medium | 6.2 | 2023-06-30 | Post-authentication remote command injection vulnerability in Western Digital My Cloud OS 5 devices that could allow an attacker to execute code in the context… |
CVE-2023-22816 | Medium | 6.0 | 2023-06-30 | A post-authentication remote command injection vulnerability in a CGI file in Western Digital My Cloud OS 5 devices that could allow an attacker to build files… |
CVE-2022-29840 | Medium | 5.1 | 2023-05-10 | Server-Side Request Forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback adapter w… |
CVE-2022-29838 | Medium | 4.3 | 2022-12-09 | Improper Authentication vulnerability in the encrypted volumes and auto mount features of Western Digital My Cloud devices allows insecure direct access to the… |
CVE-2022-29839 | Medium | 4.1 | 2022-12-09 | Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has g… |