PT-2023-18711 · Western Digital · My Cloud Home Mobile App+5
Published
2023-05-08
·
Updated
2023-05-16
·
CVE-2023-22813
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
My Cloud OS 5 Mobile App versions prior to 4.21.0
My Cloud Home Mobile App versions prior to 4.21.0
ibi Mobile App versions prior to 4.21.0
My Cloud OS 5 Web App versions prior to 4.26.0-6126
My Cloud Home Web App versions prior to 4.26.0-6126
ibi Web App versions prior to 4.26.0-6126
Description
A device API endpoint was missing access controls due to a permissive CORS policy and missing authentication requirement for private IPs. This allowed a remote attacker on the same network as the device to obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request.
Recommendations
For My Cloud OS 5 Mobile App versions prior to 4.21.0, update to version 4.21.0 or later.
For My Cloud Home Mobile App versions prior to 4.21.0, update to version 4.21.0 or later.
For ibi Mobile App versions prior to 4.21.0, update to version 4.21.0 or later.
For My Cloud OS 5 Web App versions prior to 4.26.0-6126, update to version 4.26.0-6126 or later.
For My Cloud Home Web App versions prior to 4.26.0-6126, update to version 4.26.0-6126 or later.
For ibi Web App versions prior to 4.26.0-6126, update to version 4.26.0-6126 or later.
Fix
Missing Authorization
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
My Cloud Home Mobile App
My Cloud Home Web App
My Cloud Os 5 Mobile App
My Cloud Os 5 Web App
Ibi Mobile App
Ibi Web App