8.2
CVE-2022-22999
- EPSS 0.48%
- Published 25.07.2022 19:15:28
- Last modified 21.11.2024 06:47:46
- Source psirt@wdc.com
- Teams watchlist Login
- Open Login
Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components.
Data is provided by the National Vulnerability Database (NVD)
Westerndigital ≫ My Cloud Pr2100 Firmware Version < 5.23.114
Westerndigital ≫ My Cloud Pr4100 Firmware Version < 5.23.114
Westerndigital ≫ My Cloud Ex4100 Firmware Version < 5.23.114
Westerndigital ≫ My Cloud Ex2 Ultra Firmware Version < 5.23.114
Westerndigital ≫ My Cloud Mirror G2 Firmware Version < 5.23.114
Westerndigital ≫ My Cloud Dl2100 Firmware Version < 5.23.114
Westerndigital ≫ My Cloud Dl4100 Firmware Version < 5.23.114
Westerndigital ≫ My Cloud Ex2100 Firmware Version < 5.23.114
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.48% | 0.642 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 4.8 | 1.7 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
|
| psirt@wdc.com | 8.2 | 1.5 | 6 |
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.