CVE-2014-2846

Name of the Vulnerable Software and Affected Versions WD Arkeia virtual appliance (AVA) versions prior to 10.2.9

Description A directory traversal issue exists, allowing remote attackers to read arbitrary files and execute arbitrary PHP code. This is achieved by manipulating the lang Cookie parameter with a /././ (dot dot dot slash dot slash) sequence, as demonstrated by a request to "login/doLogin" API endpoint.

Recommendations For versions prior to 10.2.9, update to version 10.2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the login/doLogin API endpoint to minimize the risk of exploitation. Avoid using the lang Cookie parameter in the affected API endpoint until the issue is resolved.