CVE-2017-17560

An issue was discovered on Western Digital MyCloud PR4100 2.30.172 devices. The web administration component, /web/jquery/uploader/multi_uploadify.php, provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.
References
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:westerndigital:my_cloud_pr4100_firmware:2.30.172:*:*:*:*:*:*:*
cpe:2.3:h:westerndigital:my_cloud_pr4100:-:*:*:*:*:*:*:*

Information

Published : 2017-12-12 10:29

Updated : 2019-05-28 08:08


NVD link : CVE-2017-17560

Mitre link : CVE-2017-17560


JSON object : View

CWE
CWE-287

Improper Authentication

Advertisement

dedicated server usa

Products Affected

westerndigital

  • my_cloud_pr4100_firmware
  • my_cloud_pr4100