CVE-2014-2846
published 2014-04-28CVE-2014-2846: Directory traversal vulnerability in opt/arkeia/wui/htdocs/index.php in the WD Arkeia virtual appliance (AVA) with firmware before 10.2.9 allows remote…
PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
8.76%
94.5th percentile
Directory traversal vulnerability in opt/arkeia/wui/htdocs/index.php in the WD Arkeia virtual appliance (AVA) with firmware before 10.2.9 allows remote attackers to read arbitrary files and execute arbitrary PHP code via a ..././ (dot dot dot slash dot slash) in the lang Cookie parameter, as demonstrated by a request to login/doLogin.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| westerndigital | arkeia_virtual_appliance_firmware | <= 10.2.7 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Wdc Arkeia Virtual Appliance up to 10.2.6 Firmware Cookie path traversal (EDB-33005 / Nessus ID 74221)
vuldb·2026-05-12·CVSS 7.5
CVE-2014-2846 [HIGH] Wdc Arkeia Virtual Appliance up to 10.2.6 Firmware Cookie path traversal (EDB-33005 / Nessus ID 74221)
A vulnerability, which was classified as problematic, has been found in Wdc Arkeia Virtual Appliance up to 10.2.6. This affects an unknown part of the component Firmware. This manipulation of the argument Cookie causes path traversal.
This vulnerability is handled as CVE-2014-2846. The attack can be initiated remotely. Additionally, an exploit exists.
It is advisable to upgrade the affected component.
GHSA
GHSA-wqpr-5jgg-vf8q: Directory traversal vulnerability in opt/arkeia/wui/htdocs/index
ghsa_unreviewed·2022-05-13
CVE-2014-2846 [HIGH] CWE-22 GHSA-wqpr-5jgg-vf8q: Directory traversal vulnerability in opt/arkeia/wui/htdocs/index
Directory traversal vulnerability in opt/arkeia/wui/htdocs/index.php in the WD Arkeia virtual appliance (AVA) with firmware before 10.2.9 allows remote attackers to read arbitrary files and execute arbitrary PHP code via a ..././ (dot dot dot slash dot slash) in the lang Cookie parameter, as demonstrated by a request to login/doLogin.
No detection rules found.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2014/Apr/257http://wiki.arkeia.com/index.php/Path_Traversal_Remote_Code_Executionhttp://www.securityfocus.com/archive/1/531910/100/0/threadedhttp://seclists.org/fulldisclosure/2014/Apr/257http://wiki.arkeia.com/index.php/Path_Traversal_Remote_Code_Executionhttp://www.securityfocus.com/archive/1/531910/100/0/threaded
2014-04-28
Published