First published: Mon May 08 2023(Updated: )
A device API endpoint was missing access controls on Western Digital My Cloud OS 5 Mobile App on Android, iOS, Western Digital My Cloud Home Mobile App on iOS, Android, SanDIsk ibi Mobile App on Android, iOS, Western Digital WD Cloud Mobile App on Android, iOS, Western Digital My Cloud OS 5 Web App, Western Digital My Cloud Home Web App, SanDisk ibi Web App and the Western Digital WD Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request.This issue affects My Cloud OS 5 Mobile App: through 4.21.0; My Cloud Home Mobile App: through 4.21.0; ibi Mobile App: through 4.21.0; WD Cloud Mobile App: through 4.21.0; My Cloud OS 5 Web App: through 4.26.0-6126; My Cloud Home Web App: through 4.26.0-6126; ibi Web App: through 4.26.0-6126; WD Web App: through 4.26.0-6126.
Credit: psirt@wdc.com
Affected Software | Affected Version | How to fix |
---|---|---|
Westerndigital My Cloud | <4.26.0-6126 | |
Westerndigital My Cloud Home | <4.21.0 | |
Westerndigital My Cloud Home | <4.21.0 | |
Westerndigital My Cloud Home | <4.26.0-6126 | |
Westerndigital My Cloud Os 5 | <4.21.0 | |
Westerndigital My Cloud Os 5 | <4.21.0 | |
Westerndigital Sandisk Ibi | <4.21.0 | |
Westerndigital Sandisk Ibi | <4.21.0 | |
Westerndigital Sandisk Ibi | <4.26.0-6126 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-22813 is a vulnerability found in Western Digital My Cloud OS 5 Mobile App, My Cloud Home Mobile App, SanDisk ibi Mobile App, and WD Cloud Mobile App.
CVE-2023-22813 has a severity rating of medium (4.3).
CVE-2023-22813 affects Western Digital My Cloud OS 5 Mobile App on Android and iOS, My Cloud Home Mobile App on iOS and Android, SanDisk ibi Mobile App on Android and iOS, and WD Cloud Mobile App on Android and iOS.
The vulnerability in CVE-2023-22813 is a missing access control issue in the device API endpoint.
Yes, a fix/update is available. Please refer to the following link for more information: [link](https://www.westerndigital.com/support/product-security/wdc-23004-western-digital-my-cloud-os-5-my-cloud-home-sandisk-ibi-and-wd-cloud-mobile-and-web-app-update)