#VU3124 OS command injection in WD My Cloud - CVE-2016-10108
Published: January 3, 2017 / Updated: July 28, 2023
Vulnerability identifier: #VU3124
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2016-10108
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
WD My Cloud
WD My Cloud
Software vendor:
Western Digital
Western Digital
Description
The vulnerability allows a remote attacker to execute arbitrary OS commands on vulnerable device.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via "arg" HTTP POST parameter to "/web/google_analytics.php" script. A remote attacker can send specially crafted HTTP POST request to vulnerable device and execute arbitrary OS commands with root privileges.
Successful exploitation of the vulnerability will result in full compromise of vulnerable device.
Remediation
Update your WD My Cloud firmware to version 2.21.126.