CVE-2019-9951

Name of the Vulnerable Software and Affected Versions Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware versions prior to 2.31.174

Description The issue allows for an unauthenticated file upload, enabling the upload of arbitrary files to any location on the attached storage. This is possible through access to the "web/jquery/uploader/uploadify.php" page without requiring any credentials.

Recommendations For Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware versions prior to 2.31.174, update the firmware to version 2.31.174 or later to resolve the issue. As a temporary workaround, consider restricting access to the "web/jquery/uploader/uploadify.php" page to prevent unauthenticated file uploads.