CVE-2017-17560

Name of the Vulnerable Software and Affected Versions Western Digital MyCloud PR4100 version 2.30.172

Description An issue in the web administration component allows for multipart upload functionality to be accessible without authentication. This is specifically related to the "/web/jquery/uploader/multi uploadify.php" endpoint, which can be used to place a file anywhere on the device's file system. As a result, an attacker can upload a PHP shell onto the device and obtain arbitrary code execution as root. The vulnerability is related to deficiencies in the authentication procedure of the web interface.

Recommendations For Western Digital MyCloud PR4100 version 2.30.172, as a temporary workaround, consider disabling access to the "/web/jquery/uploader/multi uploadify.php" endpoint until a patch is available. Restricting access to this endpoint can minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.