OS command injection in WD My Cloud - CVE-2016-10108
Published: January 3, 2017 / Updated: July 28, 2023
Vulnerability identifier: #VU3124
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2016-10108
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Western Digital
Affected software:
WD My Cloud
WD My Cloud
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary OS commands on vulnerable device.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via "arg" HTTP POST parameter to "/web/google_analytics.php" script. A remote attacker can send specially crafted HTTP POST request to vulnerable device and execute arbitrary OS commands with root privileges.
Successful exploitation of the vulnerability will result in full compromise of vulnerable device.
How to mitigate CVE-2016-10108
Update your WD My Cloud firmware to version 2.21.126.