Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-28940: WDC-20009 OS 5 Firmware 5.06.115 | Western Digital

On Western Digital My Cloud OS 5 devices before 5.06.115, the NAS Admin dashboard has an authentication bypass vulnerability that could allow an unauthenticated user to execute privileged commands on the device.

CVE
#vulnerability#git#php#auth#zero_day

My Cloud OS 5 Firmware 5.06.115

WDC Tracking Number: WDC-20009
Published: November 23, 2020

Last Updated: November 23, 2020

Description

My Cloud OS 5 was vulnerable to an authentication bypass vulnerability. My Cloud Firmware 5.06.115 contains updates to resolve this vulnerability and help improve the security of your My Cloud devices.

Product Impact

Minimum Fix Version

Last Updated

My Cloud PR2100

5.06.115

November 19, 2020

My Cloud PR4100

5.06.115

November 19, 2020

My Cloud EX2 Ultra

5.06.115

November 19, 2020

My Cloud EX4100

5.06.115

November 19, 2020

My Cloud Mirror Gen 2

5.06.115

November 19, 2020

For more information on the latest security updates, see the release notes: https://os5releasenotes.mycloud.com/#/

Advisory Summary

Addressed a NAS Admin authentication bypass vulnerability that could allow an unauthenticated user to execute privileged commands on the device. The vulnerability was addressed through enhanced validation of URI paths.

CVE Number: CVE-2020-28940, CVE-2020-28971
Reported by: Trapa Security working with Trend Micro’s Zero Day Initiative, & DEVCORE Security Team working with Trend Micro’s Zero Day Initiative

Hardened the operating system by removing an upload endpoint that could be used by an authenticated administrator to upload executable PHP scripts.

CVE Number: CVE-2020-28970
Reported by: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907