CVE-2023-22813
Published: May 8, 2023
Modified: Jan 29, 2025
CVSS v3.1
3.3
Description
A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request. This issue affects My Cloud OS 5 Mobile App: before 4.21.0; My Cloud Home Mobile App: before 4.21.0; ibi Mobile App: before 4.21.0; My Cloud OS 5 Web App: before 4.26.0-6126; My Cloud Home Web App: before 4.26.0-6126; ibi Web App: before 4.26.0-6126.
| Vendor | Product | Versions |
|---|---|---|
Western Digital | My Cloud OS 5 Mobile App | affected 0 - < 4.21.0 |
Western Digital | My Cloud Home Mobile App | affected 0 - < 4.21.0 |
SanDisk | ibi Mobile App | affected 0 - < 4.21.0 |
Western Digital | My Cloud OS 5 Web App | affected 0 - < 4.26.0-6126 |
Western Digital | My Cloud Home Web App | affected 0 - < 4.26.0-6126 |
SanDisk | ibi Web App | affected 0 - < 4.26.0-6126 |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now