Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Westerndigital Subscribe
Total 66 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-10951 1 Westerndigital 2 Ibi, My Cloud Home 2023-02-28 4.3 MEDIUM 4.7 MEDIUM
Western Digital My Cloud Home and ibi devices before 2.2.0 allow clickjacking on sign-in pages.
CVE-2021-36226 1 Westerndigital 2 My Cloud Os, My Cloud Pr4100 2023-02-14 N/A 9.8 CRITICAL
Western Digital My Cloud devices before OS5 do not use cryptographically signed Firmware upgrade files.
CVE-2021-36225 1 Westerndigital 2 My Cloud Os, My Cloud Pr4100 2023-02-14 N/A 8.8 HIGH
Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation.
CVE-2021-36224 1 Westerndigital 2 My Cloud Os, My Cloud Pr4100 2023-02-14 N/A 9.8 CRITICAL
Western Digital My Cloud devices before OS5 have a nobody account with a blank password.
CVE-2022-23005 2 Jedec, Westerndigital 4 Universal Flash Storage, Inand Eu311 Mobile Mc Ufs, Inand Eu312 Automotive Xa At Ufs and 1 more 2023-02-08 N/A 8.7 HIGH
Western Digital has identified a weakness in the UFS standard that could result in a security vulnerability. This vulnerability may exist in some systems where the Host boot ROM code implements the UFS Boot feature to boot from UFS compliant storage devices. The UFS Boot feature, as specified in the UFS standard, is provided by UFS devices to support platforms that need to download the system boot loader from external non-volatile storage locations. Several scenarios have been identified in which adversaries may disable the boot capability, or revert to an old boot loader code, if the host boot ROM code is improperly implemented. UFS Host Boot ROM implementers may be impacted by this vulnerability. UFS devices are only impacted when connected to a vulnerable UFS Host and are not independently impacted by this vulnerability. When present, the vulnerability is in the UFS Host implementation and is not a vulnerability in Western Digital UFS Devices. Western Digital has provided details of the vulnerability to the JEDEC standards body, multiple vendors of host processors, and software solutions providers.
CVE-2022-29844 1 Westerndigital 16 My Cloud Dl2100, My Cloud Dl2100 Firmware, My Cloud Dl4100 and 13 more 2023-02-01 N/A 9.8 CRITICAL
A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker.
CVE-2022-29843 1 Westerndigital 16 My Cloud Dl2100, My Cloud Dl2100 Firmware, My Cloud Dl4100 and 13 more 2023-02-01 N/A 9.8 CRITICAL
A command injection vulnerability in the DDNS service configuration of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to execute code in the context of the root user.
CVE-2022-29835 1 Westerndigital 1 Wd Discovery 2023-01-23 N/A 5.3 MEDIUM
WD Discovery software executable files were signed with an unsafe SHA-1 hashing algorithm. An attacker could use this weakness to create forged certificate signatures due to the use of a hashing algorithm that is not collision-free. This could thereby impact the confidentiality of user content. This issue affects: Western Digital WD Discovery WD Discovery Desktop App versions prior to 4.4.396 on Mac; WD Discovery Desktop App versions prior to 4.4.396 on Windows.
CVE-2022-29838 1 Westerndigital 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more 2022-12-12 N/A 4.6 MEDIUM
Improper Authentication vulnerability in the encrypted volumes and auto mount features of Western Digital My Cloud devices allows insecure direct access to the drive information in the case of a device reset. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux.
CVE-2022-29839 2 Linux, Westerndigital 12 Linux Kernel, My Cloud, My Cloud Dl2100 and 9 more 2022-12-12 N/A 5.5 MEDIUM
Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has gained access to a relevant endpoint to use that information to access protected data. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux.
CVE-2022-29837 1 Westerndigital 6 My Cloud Home, My Cloud Home Duo, My Cloud Home Duo Firmware and 3 more 2022-12-06 N/A 7.8 HIGH
A path traversal vulnerability was addressed in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution.
CVE-2022-29836 1 Westerndigital 6 My Cloud Home, My Cloud Home Duo, My Cloud Home Duo Firmware and 3 more 2022-11-15 N/A 4.3 MEDIUM
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability was discovered via an HTTP API on Western Digital My Cloud Home; My Cloud Home Duo; and SanDisk ibi devices that could allow an attacker to abuse certain parameters to point to random locations on the file system. This could also allow the attacker to initiate the installation of custom packages at these locations. This can only be exploited once the attacker has been authenticated to the device. This issue affects: Western Digital My Cloud Home and My Cloud Home Duo versions prior to 8.11.0-113 on Linux; SanDisk ibi versions prior to 8.11.0-113 on Linux.
CVE-2022-23006 1 Westerndigital 6 My Cloud Home, My Cloud Home Duo, My Cloud Home Duo Firmware and 3 more 2022-10-03 N/A 6.7 MEDIUM
A stack-based buffer overflow vulnerability was found on Western Digital My Cloud Home, My Cloud Home Duo, and SanDisk ibi that could allow an attacker accessing the system locally to read information from /etc/version file. This vulnerability can only be exploited by chaining it with another issue. If an attacker is able to carry out a remote code execution attack, they can gain access to the vulnerable file, due to the presence of insecure functions in code. User interaction is required for exploitation. Exploiting the vulnerability could result in exposure of information, ability to modify files, memory access errors, or system crashes.
CVE-2020-29563 1 Westerndigital 6 My Cloud Ex2 Ultra, My Cloud Ex4100, My Cloud Mirror Gen 2 and 3 more 2022-08-05 7.5 HIGH 9.8 CRITICAL
An issue was discovered on Western Digital My Cloud OS 5 devices before 5.07.118. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to gain access to the device.
CVE-2022-23004 1 Westerndigital 1 Sweet B 2022-08-05 N/A 5.3 MEDIUM
When computing a shared secret or point multiplication on the NIST P-256 curve using a public key with an X coordinate of zero, an error is returned from the library, and an invalid unreduced value is written to the output buffer. This may be leveraged by an attacker to cause an error scenario, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components.
CVE-2022-23003 1 Westerndigital 1 Sweet B 2022-08-05 N/A 5.3 MEDIUM
When computing a shared secret or point multiplication on the NIST P-256 curve that results in an X coordinate of zero, the resulting output is not properly reduced modulo the P-256 field prime and is invalid. The resulting output may cause an error when used in other operations. This may be leveraged by an attacker to cause an error scenario or incorrect choice of session key in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components.
CVE-2022-23002 1 Westerndigital 1 Sweet B 2022-08-05 N/A 5.3 MEDIUM
When compressing or decompressing a point on the NIST P-256 elliptic curve with an X coordinate of zero, the resulting output is not properly reduced modulo the P-256 field prime and is invalid. The resulting output will cause an error when used in other operations. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components.
CVE-2022-23001 1 Westerndigital 1 Sweet B 2022-08-05 N/A 5.3 MEDIUM
When compressing or decompressing elliptic curve points using the Sweet B library, an incorrect choice of sign bit is used. An attacker with user level privileges and no other user's assistance can exploit this vulnerability with only knowledge of the public key and the library. The resulting output may cause an error when used in other operations; for instance, verification of a valid signature under a decompressed public key may fail. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components.
CVE-2022-23000 1 Westerndigital 18 My Cloud, My Cloud Dl2100, My Cloud Dl2100 Firmware and 15 more 2022-08-03 N/A 7.8 HIGH
The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an "SSL" context instead of "TLS" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability.
CVE-2022-22999 1 Westerndigital 16 My Cloud Dl2100, My Cloud Dl2100 Firmware, My Cloud Dl4100 and 13 more 2022-08-01 N/A 4.8 MEDIUM
Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components.