CVE-2018-9148

Name of the Vulnerable Software and Affected Versions Western Digital WD My Cloud version 04.05.00-320

Description The issue allows attackers to bypass authentication by listing a directory, as the session token (aka PHPSESSID) is embedded in filenames. This can be exploited in conjunction with another issue for remote authentication bypass within a product that uses My Cloud.

Recommendations For Western Digital WD My Cloud version 04.05.00-320, consider restricting access to directory listings to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.