CVE-2016-10108

Name of the Vulnerable Software and Affected Versions Western Digital MyCloud NAS version 2.11.142

Description The issue is related to unauthenticated remote command injection as root in the Western Digital MyCloud NAS. This occurs via a modified arg parameter in the POST data to the "/web/google analytics.php" URL. The vulnerability is associated with a lack of data sanitization at the management level, allowing an attacker to inject arbitrary commands remotely using a specially crafted arg parameter sent via the POST method.

Recommendations For Western Digital MyCloud NAS version 2.11.142, as a temporary workaround, consider restricting access to the "/web/google analytics.php" URL to minimize the risk of exploitation. Avoid using the arg parameter in the affected URL until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.