Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
A device APIendpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policyand missing authentication requirement for private IPs, a remote attacker onthe same network as the device could obtain device information by convincing avictim user to visit an attacker-controlled server and issue a cross-siterequest.This issue affectsMy Cloud OS 5 Mobile App: before 4.21.0; My Cloud Home Mobile App: before 4.21.0; ibi Mobile App: before 4.21.0; MyCloud OS 5 Web App: before 4.26.0-6126; My Cloud Home Web App: before 4.26.0-6126;ibi Web App: before 4.26.0-6126.
- https://www.westerndigital.com/support/product-security/wdc-23004-western-digital-my-cloud-os-5-my-cloud-home-sandisk-ibi-and-wd-cloud-mobile-and-web-app-update
No PoCs found on GitHub currently.