Drobo 5N2 Firmware vulnerabilities
15 known vulnerabilities affecting drobo/5n2_firmware.
Total CVEs
15
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH5MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2018-14701P1CRITICALCVSS 9.8PoCv4.0.5-13.28.961152018-12-03
CVE-2018-14701 [CRITICAL] CWE-78 CVE-2018-14701: System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.
System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
nvd
CVE-2018-14709P2CRITICALCVSS 9.8PoCv4.0.5-13.28.961152018-12-03
CVE-2018-14709 [CRITICAL] CWE-287 CVE-2018-14709: Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows atta
Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation.
nvd
CVE-2018-14699P2CRITICALCVSS 9.8v4.0.5-13.28.961152018-12-03
CVE-2018-14699 [CRITICAL] CWE-78 CVE-2018-14699: System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.
System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
nvd
CVE-2018-14706P2CRITICALCVSS 9.8v4.0.5-13.28.961152018-12-03
CVE-2018-14706 [CRITICAL] CWE-78 CVE-2018-14706: System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-
System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request.
nvd
CVE-2018-14707P3HIGHCVSS 7.5v4.0.5-13.28.961152018-12-03
CVE-2018-14707 [HIGH] CWE-22 CVE-2018-14707: Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allo
Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to upload files to arbitrary locations.
nvd
CVE-2018-14705P3CRITICALCVSS 9.8v4.0.52020-02-24
CVE-2018-14705 [CRITICAL] CWE-287 CVE-2018-14705: In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validati
In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidential
nvd
CVE-2018-14703P3CRITICALCVSS 9.8v4.0.5-13.28.961152018-12-03
CVE-2018-14703 [CRITICAL] CWE-732 CVE-2018-14703: Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.
Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password.
nvd
CVE-2018-14695P3HIGHCVSS 7.5v4.0.5-13.28.961152018-12-03
CVE-2018-14695 [HIGH] CWE-200 CVE-2018-14695: Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.9
Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the "name" URL parameter.
nvd
CVE-2018-14700P3HIGHCVSS 7.5v4.0.5-13.28.961152018-12-03
CVE-2018-14700 [HIGH] CWE-532 CVE-2018-14700: Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28
Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter.
nvd
CVE-2018-14708P3CRITICALCVSS 9.8v4.0.5-13.28.961152018-12-03
CVE-2018-14708 [CRITICAL] CWE-287 CVE-2018-14708: An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.9611
An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic.
nvd
CVE-2018-14702P3HIGHCVSS 7.5v4.0.5-13.28.961152018-12-03
CVE-2018-14702 [HIGH] CWE-200 CVE-2018-14702: Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.2
Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.
nvd
CVE-2018-14696P3HIGHCVSS 7.5v4.0.5-13.28.961152018-12-03
CVE-2018-14696 [HIGH] CWE-200 CVE-2018-14696: Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.9
Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.
nvd
CVE-2018-14697P4MEDIUMCVSS 6.1v4.0.5-13.28.961152018-12-03
CVE-2018-14697 [MEDIUM] CWE-79 CVE-2018-14697: Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.9
Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the username URL parameter.
nvd
CVE-2018-14698P4MEDIUMCVSS 6.1v4.0.5-13.28.961152018-12-03
CVE-2018-14698 [MEDIUM] CWE-79 CVE-2018-14698: Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.9
Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the "username" URL parameter.
nvd
CVE-2018-14704P4MEDIUMCVSS 6.1v4.0.5-13.28.961152018-12-03
CVE-2018-14704 [MEDIUM] CWE-79 CVE-2018-14704: Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows a
Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path.
nvd