Western Digital My Cloud OS 5, My Cloud Home, SanDisk ibi and WD Cloud Mobile and Web App Update
WDC Tracking Number: WDC-23004
Product Line: My Cloud, My Cloud Home, My Cloud Home Duo, SanDisk ibi, and WD Cloud
Published: March 5, 2023
Last Updated: March 24, 2023
Description
Western Digital My Cloud, My Cloud Home, SanDisk ibi and WD Cloud mobile and web apps have been updated to help improve the security of your devices and data.
Users of the mobile apps should promptly update the apps to reflect the latest changes. The web apps have automatically been updated.
Advisory Summary
Addressed a security concern where a device API endpoint was missing access controls. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request. This was addressed by enforcing token-based authentication on the corresponding endpoint to avoid unauthorized information disclosures.
CVE Number: CVE-2023-22813