ID:9210 - Exploit for OS command injection in WD My Cloud - CVE-2016-10108

CSH
CYBERSECURITY HELP
Sign In REGISTER
 
Main Vulnerability Database Exploits ID:9210 - Exploit for OS command injection in WD My Cloud - CVE-2016-10108

ID:9210 - Exploit for OS command injection in WD My Cloud - CVE-2016-10108

Published: July 28, 2023


Vulnerability identifier: #VU3124
Vulnerability risk: High
CVE-ID: CVE-2016-10108
CWE-ID: CWE-78
Exploitation vector: Remote access
Vulnerable software:
WD My Cloud

Link to public exploit:


Vulnerability description

The vulnerability allows a remote attacker to execute arbitrary OS commands on vulnerable device.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via "arg" HTTP POST parameter to "/web/google_analytics.php" script. A remote attacker can send specially crafted HTTP POST request to vulnerable device and execute arbitrary OS commands with root privileges.

Successful exploitation of the vulnerability will result in full compromise of vulnerable device.


Remediation

Update your WD My Cloud firmware to version 2.21.126.