CVE-2024-22168

Vulnerability

Details

CVE-2024-22168 is a Cross-Site Scripting (XSS) vulnerability found in the web applications for Western Digital's My Cloud, My Cloud Home, SanDisk ibi, and WD Cloud products. The root cause is improper sanitization of user-controlled data, allowing an attacker to inject arbitrary JavaScript or HTML into the application's interface. Western Digital credits Jay Mehta for reporting this issue [1].

Exploitation

Prerequisites

The vulnerability can be exploited without authentication, as an attacker only needs to craft a malicious link or input that, when accessed or interacted with by a legitimate user, triggers the XSS payload. The attack surface is the publicly accessible web app interface, meaning an attacker does not require prior network access or privileged credentials to initiate the attack [1]. The XSS can redirect users to a malicious domain or execute arbitrary client-side code within the user's browser session.

Impact

Successful exploitation enables an attacker to perform credential reset by redirecting a user to a crafted domain, or to execute arbitrary client-side code in the user's browser. This could lead to data theft, session hijacking, or further compromise of the affected device and user accounts. The vulnerability is categorized as Medium severity [1].

Mitigation

Western Digital has automatically updated the affected web applications to version 4.28.0-102 or later, which includes proper input filtering to remediate the XSS flaw. Users are advised to ensure their web apps are updated and to review the advisory for any further recommended actions [1].