Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2023-22813

Опубликовано: 08 мая 2023
Источник: nvd
CVSS3: 3.3
CVSS3: 4.3
EPSS Низкий

Описание

A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request.

This issue affects My Cloud OS 5 Mobile App: before 4.21.0; My Cloud Home Mobile App: before 4.21.0; ibi Mobile App: before 4.21.0; My Cloud OS 5 Web App: before 4.26.0-6126; My Cloud Home Web App: before 4.26.0-6126; ibi Web App: before 4.26.0-6126.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:westerndigital:my_cloud:*:*:*:*:*:-:*:*
Версия до 4.26.0-6126 (исключая)
cpe:2.3:a:westerndigital:my_cloud_home:*:*:*:*:*:android:*:*
Версия до 4.21.0 (исключая)
cpe:2.3:a:westerndigital:my_cloud_home:*:*:*:*:*:iphone_os:*:*
Версия до 4.21.0 (исключая)
cpe:2.3:a:westerndigital:my_cloud_home:*:*:*:*:*:-:*:*
Версия до 4.26.0-6126 (исключая)
cpe:2.3:a:westerndigital:my_cloud_os_5:*:*:*:*:*:android:*:*
Версия до 4.21.0 (исключая)
cpe:2.3:a:westerndigital:my_cloud_os_5:*:*:*:*:*:iphone_os:*:*
Версия до 4.21.0 (исключая)
cpe:2.3:a:westerndigital:sandisk_ibi:*:*:*:*:*:android:*:*
Версия до 4.21.0 (исключая)
cpe:2.3:a:westerndigital:sandisk_ibi:*:*:*:*:*:iphone_os:*:*
Версия до 4.21.0 (исключая)
cpe:2.3:a:westerndigital:sandisk_ibi:*:*:*:*:*:-:*:*
Версия до 4.26.0-6126 (исключая)

EPSS

Процентиль: 35%
0.00139
Низкий

3.3 Low

CVSS3

4.3 Medium

CVSS3

Дефекты

CWE-200
CWE-862

Связанные уязвимости

github логотип

GHSA-775c-w7mp-r8gh

CVSS3: 3.3
github
больше 2 лет назад

A device API endpoint was missing access controls on Western Digital My Cloud OS 5 Mobile App on Android, iOS, Western Digital My Cloud Home Mobile App on iOS, Android, SanDIsk ibi Mobile App on Android, iOS, Western Digital WD Cloud Mobile App on Android, iOS, Western Digital My Cloud OS 5 Web App, Western Digital My Cloud Home Web App, SanDisk ibi Web App and the Western Digital WD Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request.This issue affects My Cloud OS 5 Mobile App: through 4.21.0; My Cloud Home Mobile App: through 4.21.0; ibi Mobile App: through 4.21.0; WD Cloud Mobile App: through 4.21.0; My Cloud OS 5 Web App: through 4.26.0-6126; My Cloud Home Web App: through 4.26.0-6126; ibi Web App: through 4.26.0-6126; WD Web App: through 4.26.0-6126.

EPSS

Процентиль: 35%
0.00139
Низкий

3.3 Low

CVSS3

4.3 Medium

CVSS3

Дефекты

CWE-200
CWE-862