Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Drobo Subscribe
Filtered by product 5n2
Total 15 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-14709 1 Drobo 2 5n2, 5n2 Firmware 2020-03-13 5.0 MEDIUM 9.8 CRITICAL
Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation.
CVE-2018-14701 1 Drobo 2 5n2, 5n2 Firmware 2020-03-13 7.5 HIGH 9.8 CRITICAL
System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
CVE-2018-14705 1 Drobo 2 5n2, 5n2 Firmware 2020-03-02 10.0 HIGH 9.8 CRITICAL
In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the applications and the device itself.
CVE-2018-14706 1 Drobo 2 5n2, 5n2 Firmware 2019-10-02 10.0 HIGH 9.8 CRITICAL
System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request.
CVE-2018-14703 1 Drobo 2 5n2, 5n2 Firmware 2019-10-02 5.0 MEDIUM 9.8 CRITICAL
Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password.
CVE-2018-14699 1 Drobo 2 5n2, 5n2 Firmware 2019-10-02 7.5 HIGH 9.8 CRITICAL
System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
CVE-2018-14708 1 Drobo 2 5n2, 5n2 Firmware 2019-02-05 7.5 HIGH 9.8 CRITICAL
An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic.
CVE-2018-14695 1 Drobo 2 5n2, 5n2 Firmware 2018-12-20 5.0 MEDIUM 7.5 HIGH
Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the "name" URL parameter.
CVE-2018-14700 1 Drobo 2 5n2, 5n2 Firmware 2018-12-20 5.0 MEDIUM 7.5 HIGH
Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter.
CVE-2018-14707 1 Drobo 2 5n2, 5n2 Firmware 2018-12-20 7.8 HIGH 7.5 HIGH
Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to upload files to arbitrary locations.
CVE-2018-14704 1 Drobo 2 5n2, 5n2 Firmware 2018-12-20 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path.
CVE-2018-14702 1 Drobo 2 5n2, 5n2 Firmware 2018-12-20 5.0 MEDIUM 7.5 HIGH
Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.
CVE-2018-14696 1 Drobo 2 5n2, 5n2 Firmware 2018-12-20 5.0 MEDIUM 7.5 HIGH
Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.
CVE-2018-14698 1 Drobo 2 5n2, 5n2 Firmware 2018-12-20 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the "username" URL parameter.
CVE-2018-14697 1 Drobo 2 5n2, 5n2 Firmware 2018-12-20 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the username URL parameter.