Total
15 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-14709 | 1 Drobo | 2 5n2, 5n2 Firmware | 2020-03-13 | 5.0 MEDIUM | 9.8 CRITICAL |
| Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation. | |||||
| CVE-2018-14701 | 1 Drobo | 2 5n2, 5n2 Firmware | 2020-03-13 | 7.5 HIGH | 9.8 CRITICAL |
| System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter. | |||||
| CVE-2018-14705 | 1 Drobo | 2 5n2, 5n2 Firmware | 2020-03-02 | 10.0 HIGH | 9.8 CRITICAL |
| In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the applications and the device itself. | |||||
| CVE-2018-14706 | 1 Drobo | 2 5n2, 5n2 Firmware | 2019-10-02 | 10.0 HIGH | 9.8 CRITICAL |
| System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request. | |||||
| CVE-2018-14703 | 1 Drobo | 2 5n2, 5n2 Firmware | 2019-10-02 | 5.0 MEDIUM | 9.8 CRITICAL |
| Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password. | |||||
| CVE-2018-14699 | 1 Drobo | 2 5n2, 5n2 Firmware | 2019-10-02 | 7.5 HIGH | 9.8 CRITICAL |
| System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter. | |||||
| CVE-2018-14708 | 1 Drobo | 2 5n2, 5n2 Firmware | 2019-02-05 | 7.5 HIGH | 9.8 CRITICAL |
| An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic. | |||||
| CVE-2018-14695 | 1 Drobo | 2 5n2, 5n2 Firmware | 2018-12-20 | 5.0 MEDIUM | 7.5 HIGH |
| Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the "name" URL parameter. | |||||
| CVE-2018-14700 | 1 Drobo | 2 5n2, 5n2 Firmware | 2018-12-20 | 5.0 MEDIUM | 7.5 HIGH |
| Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter. | |||||
| CVE-2018-14707 | 1 Drobo | 2 5n2, 5n2 Firmware | 2018-12-20 | 7.8 HIGH | 7.5 HIGH |
| Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to upload files to arbitrary locations. | |||||
| CVE-2018-14704 | 1 Drobo | 2 5n2, 5n2 Firmware | 2018-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path. | |||||
| CVE-2018-14702 | 1 Drobo | 2 5n2, 5n2 Firmware | 2018-12-20 | 5.0 MEDIUM | 7.5 HIGH |
| Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information. | |||||
| CVE-2018-14696 | 1 Drobo | 2 5n2, 5n2 Firmware | 2018-12-20 | 5.0 MEDIUM | 7.5 HIGH |
| Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information. | |||||
| CVE-2018-14698 | 1 Drobo | 2 5n2, 5n2 Firmware | 2018-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the "username" URL parameter. | |||||
| CVE-2018-14697 | 1 Drobo | 2 5n2, 5n2 Firmware | 2018-12-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the username URL parameter. | |||||