CVE-2023-22813 LOW

CVE-2023-22813: Device API endpoint missing access controls on Western Digital Mobile and Web Apps

Vendor Western Digital
Product My Cloud OS 5 Mobile App
Weakness CWE-200 · Info exposure
Published May 8, 2023
Last update January 29, 2025
View on NVD All CVEs

CVSS base score

3.3/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request. This issue affects My Cloud OS 5 Mobile App: before 4.21.0; My Cloud Home Mobile App: before 4.21.0; ibi Mobile App: before 4.21.0; My Cloud OS 5 Web App: before 4.26.0-6126; My Cloud Home Web App: before 4.26.0-6126; ibi Web App: before 4.26.0-6126.

Key dates

02Disclosure timeline

May 8, 2023 CVE published
January 29, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-35936 No Authentication on Logging Server CVE-2026-3691 OpenClaw Client PKCE Verifier Information Disclosure Vulnerability CVE-2024-3733 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.15 - Information Exposure CVE-2024-1208 LearnDash LMS <= 4.10.2 - Sensitive Information Exposure via API CVE-2023-29111 Information Disclosure vulnerability in SAP Application Interface Framework (ODATA service)