Description
A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request. This issue affects My Cloud OS 5 Mobile App: before 4.21.0; My Cloud Home Mobile App: before 4.21.0; ibi Mobile App: before 4.21.0; My Cloud OS 5 Web App: before 4.26.0-6126; My Cloud Home Web App: before 4.26.0-6126; ibi Web App: before 4.26.0-6126.
CVSS Metrics
- Vector
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Attack Vector
- local
- Complexity
- low
- Privileges
- none
- User Action
- required
- Scope
- unchanged
- Confidentiality
- low
- Integrity
- none
- Availability
- none
- Weaknesses
- CWE-200CWE-862
Metadata
- Primary Vendor
- WESTERNDIGITAL
- Published
- 5/8/2023
- Last Modified
- 11/21/2024
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.