github - ghsa-4h8r-hw75-4wxx

ghsa-4h8r-hw75-4wxx

Vulnerability from github

Published

2022-07-26 00:00

Modified

2022-08-02 00:00

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-22999"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-25T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user\u0027s browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components.",
  "id": "GHSA-4h8r-hw75-4wxx",
  "modified": "2022-08-02T00:00:24Z",
  "published": "2022-07-26T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22999"
    },
    {
      "type": "WEB",
      "url": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2022-22999

Vulnerability from cvelistv5

Published

2022-07-25 18:47

Modified

2024-08-03 03:28

Severity ?

8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Summary

Cross-site Scripting Vulnerability in USB Backups App

References

▼	URL	Tags
	https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114	x_refsource_MISC

Impacted products

▼	Vendor	Product
	Western Digital	My Cloud

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T03:28:42.794Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "Linux"
          ],
          "product": "My Cloud",
          "vendor": "Western Digital",
          "versions": [
            {
              "lessThan": "5.23.114",
              "status": "affected",
              "version": "My Cloud OS 5",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user\u0027s browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T18:47:36",
        "orgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
        "shortName": "WDC PSIRT"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Cross-site Scripting Vulnerability in USB Backups App",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@wdc.com",
          "ID": "CVE-2022-22999",
          "STATE": "PUBLIC",
          "TITLE": "Cross-site Scripting Vulnerability in USB Backups App"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "My Cloud",
                      "version": {
                        "version_data": [
                          {
                            "platform": "Linux",
                            "version_affected": "\u003c",
                            "version_name": "My Cloud OS 5",
                            "version_value": "5.23.114"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Western Digital"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user\u0027s browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114",
              "refsource": "MISC",
              "url": "https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmware-version-5-23-114"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification."
          }
        ],
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cb3b742e-5145-4748-b44b-5ffd45bf3b6a",
    "assignerShortName": "WDC PSIRT",
    "cveId": "CVE-2022-22999",
    "datePublished": "2022-07-25T18:47:36",
    "dateReserved": "2022-01-10T00:00:00",
    "dateUpdated": "2024-08-03T03:28:42.794Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted