CVE-2022-22999
Last modified
CVE-2022-22999 is a medium-severity vulnerability rated 4.8/10 on the CVSS scale. Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. EPSS estimates a 0.32% chance of exploitation in the next 30 days.
Description
Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Westerndigital | My Cloud Pr2100 Firmware | < 5.23.114 |
| Westerndigital | My Cloud Pr4100 Firmware | < 5.23.114 |
| Westerndigital | My Cloud Ex4100 Firmware | < 5.23.114 |
| Westerndigital | My Cloud Ex2 Ultra Firmware | < 5.23.114 |
| Westerndigital | My Cloud Mirror G2 Firmware | < 5.23.114 |
| Westerndigital | My Cloud Dl2100 Firmware | < 5.23.114 |
| Westerndigital | My Cloud Dl4100 Firmware | < 5.23.114 |
| Westerndigital | My Cloud Ex2100 Firmware | < 5.23.114 |
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-22999?
How severe is CVE-2022-22999?
How do I fix CVE-2022-22999?
Are you affected by CVE-2022-22999?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST