Description
Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components.
CVSS Metrics
- Vector
- CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
- Attack Vector
- local
- Complexity
- low
- Privileges
- high
- User Action
- none
- Scope
- changed
- Confidentiality
- high
- Integrity
- high
- Availability
- high
- Weaknesses
- CWE-79CWE-79
Metadata
- Primary Vendor
- WESTERNDIGITAL
- Published
- 7/25/2022
- Last Modified
- 11/21/2024
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
westerndigital : my_cloud_pr2100_firmwarewesterndigital : my_cloud_pr4100_firmwarewesterndigital : my_cloud_ex4100_firmwarewesterndigital : my_cloud_ex2_ultra_firmwarewesterndigital : my_cloud_mirror_g2_firmwarewesterndigital : my_cloud_dl2100_firmwarewesterndigital : my_cloud_dl4100_firmwarewesterndigital : my_cloud_ex2100_firmware
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.