CVE-2019-9945

Name of the Vulnerable Software and Affected Versions SoftNAS Cloud versions 4.2.0 through 4.2.1

Description The issue is related to the NGINX default configuration file, which has an inadequate check for a user cookie. This allows an attacker to provide an arbitrary value for the cookie and access the web interface without valid credentials. If SoftNAS StorageCenter ports are exposed directly to the internet, an attacker can gain access to the Webadmin interface, create new users, or execute arbitrary commands with administrative privileges, compromising the platform and data.

Recommendations For SoftNAS Cloud versions 4.2.0 and 4.2.1, consider restricting access to the Webadmin interface until a patch is available. As a temporary workaround, avoid exposing SoftNAS StorageCenter ports directly to the internet to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.