Session Token Embedding in Filenames Vulnerability in Western Digital WD My Cloud v04.05.00-320 Devices

Session Token Embedding in Filenames Vulnerability in Western Digital WD My Cloud v04.05.00-320 Devices

CVE-2018-9148 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication bypass within a product that uses My Cloud.

Learn more about our Cloud Audit.