Home

Description

A post-authentication remote command injection vulnerability in a CGI file in Western Digital My Cloud OS 5 devices that could allow an attacker to build files with redirects and execute larger payloads. This issue affects My Cloud OS 5 devices: before 5.26.300.

PUBLISHED Reserved 2023-01-06 | Published 2023-06-30 | Updated 2024-09-09 | Assigner WDC PSIRT




MEDIUM: 6.0CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

Any version before 5.26.300
affected

Credits

Wil Gibbs and Arvind S Raj reporter

References

www.westerndigital.com/...my-cloud-firmware-version-5-26-300

www.westerndigital.com/...my-cloud-firmware-version-5-26-300

cve.org (CVE-2023-22816)

nvd.nist.gov (CVE-2023-22816)

Download JSON