CVE-2022-22999

moderate-risk
Published 2022-07-25

Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components.

Do I need to act?

-
0.48% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.2/10 High
LOCAL / LOW complexity

Affected Products (8)

My Cloud Pr2100 Firmware
My Cloud Ex4100 Firmware
My Cloud Ex2 Ultra Firmware
My Cloud Mirror G2 Firmware
My Cloud Dl2100 Firmware
My Cloud Dl4100 Firmware
My Cloud Ex2100 Firmware

Affected Vendors

Westerndigital

References (2)

Vendor Advisory https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmw...
Vendor Advisory https://www.westerndigital.com/support/product-security/wdc-22011-my-cloud-firmw...
41
/ 100
moderate-risk
Severity 25/34 · High
Exploitability 2/34 · Minimal
Exposure 14/34 · Moderate