VYPR
Vendor

Drobo

Products
3
CVEs
15
Across products
16
Status
Private

Products

3

Recent CVEs

15
  • CVE-2018-14699CriDec 3, 2018
    risk 0.66cvss 9.8epss 0.29

    System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.

  • CVE-2018-14706CriDec 3, 2018
    risk 0.65cvss 9.8epss 0.17

    System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request.

  • CVE-2018-14701CriDec 3, 2018
    risk 0.65cvss 9.8epss 0.20

    System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.

  • CVE-2018-14705CriFeb 24, 2020
    risk 0.64cvss 9.8epss 0.02

    In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability…

  • CVE-2018-14709CriDec 3, 2018
    risk 0.64cvss 9.8epss 0.02

    Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation.

  • CVE-2018-14708CriDec 3, 2018
    risk 0.64cvss 9.8epss 0.01

    An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic.

  • CVE-2018-14703CriDec 3, 2018
    risk 0.64cvss 9.8epss 0.01

    Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password.

  • CVE-2018-14707HigDec 3, 2018
    risk 0.51cvss 7.5epss 0.28

    Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to upload files to arbitrary locations.

  • CVE-2018-14702HigDec 3, 2018
    risk 0.49cvss 7.5epss 0.01

    Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.

  • CVE-2018-14700HigDec 3, 2018
    risk 0.49cvss 7.5epss 0.01

    Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter.

  • CVE-2018-14696HigDec 3, 2018
    risk 0.49cvss 7.5epss 0.01

    Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.

  • CVE-2018-14695HigDec 3, 2018
    risk 0.49cvss 7.5epss 0.01

    Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the "name" URL parameter.

  • CVE-2018-14704MedDec 3, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path.

  • CVE-2018-14698MedDec 3, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the "username" URL parameter.

  • CVE-2018-14697MedDec 3, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the username URL parameter.