CVE-2018-9148 in WD My Cloudinfo

Summary

Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication bypass within a product that uses My Cloud.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Reservation

03/30/2018

Disclosure

03/30/2018

Moderation

VulDB entry created

Entries

VDB-115294 (1)

CPE

ready

CWE

CWE-287 (Confirmed)

Exploit

Download

CVSS

8.5

EPSS

0.02328

Activities

Very Low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2018-9148
NVD	https://nvd.nist.gov/vuln/detail/CVE-2018-9148
CVE Details	https://www.cvedetails.com/cve/CVE-2018-9148/

◂ Previous Overview Next ▸

Do you need the next level of professionalism?

Upgrade your account now!