CVE-2023-22813 — Sensitive Information Exposure in IBI Mobile APP

CWE-200 — Sensitive Information Exposure CWE-862 — Missing Authorization2 documents2 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 59.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sandisk IBI Mobile APP Sandisk IBI WEB APP Western Digital MY Cloud Home Mobile APP +7 more

Timeline

PublishedMay 8

Latest updateJul 6

Description

A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages10 packages

▶CVEListV5western_digital/my_cloud_home_mobile_app< 4.21.0

▶CVEListV5western_digital/my_cloud_os_5_mobile_app< 4.21.0

▶NVDwesterndigital/my_cloud_home< 4.21.0+1

▶CVEListV5western_digital/my_cloud_home_web_app< 4.26.0-6126

▶NVDwesterndigital/my_cloud< 4.26.0-6126

🔴Vulnerability Details

GHSA

GHSA-775c-w7mp-r8gh: A device API endpoint was missing access controls on Western Digital My Cloud OS 5 Mobile App on Android, iOS, Western Digital My Cloud Home Mobile Ap↗2023-07-06

▶