• Skip to primary navigation
  • Skip to main content
CVE Vulnerability

CVE Vulnerability

  • CVE’s
  • Products
  • Vendors
Home » CVE’s

CVE’s


CVE
Vendors
Products
Updated
CVSS v2
CVSS v3
CVE-2022-23005
2023-02-08
N/A
8.7 HIGH
Western Digital has identified a weakness in the UFS standard that could result in a security vulnerability. This vulnerability may exist in some systems where the Host boot ROM code implements the UFS Boot feature to boot from UFS compliant storage devices. The UFS Boot feature, as specified in the UFS standard, is provided by UFS devices to support platforms that need to download the system boot loader from external non-volatile storage locations. Several scenarios have been identified in which adversaries may disable the boot capability, or revert to an old boot loader code, if the host boot ROM code is improperly implemented. UFS Host Boot ROM implementers may be impacted by this vulnerability. UFS devices are only impacted when connected to a vulnerable UFS Host and are not independently impacted by this vulnerability. When present, the vulnerability is in the UFS Host implementation and is not a vulnerability in Western Digital UFS Devices. Western Digital has provided details of the vulnerability to the JEDEC standards body, multiple vendors of host processors, and software solutions providers.
CVE-2022-23004
2022-08-05
N/A
5.3 MEDIUM
When computing a shared secret or point multiplication on the NIST P-256 curve using a public key with an X coordinate of zero, an error is returned from the library, and an invalid unreduced value is written to the output buffer. This may be leveraged by an attacker to cause an error scenario, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components.
CVE-2022-23003
2022-08-05
N/A
5.3 MEDIUM
When computing a shared secret or point multiplication on the NIST P-256 curve that results in an X coordinate of zero, the resulting output is not properly reduced modulo the P-256 field prime and is invalid. The resulting output may cause an error when used in other operations. This may be leveraged by an attacker to cause an error scenario or incorrect choice of session key in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components.
CVE-2022-23002
2022-08-05
N/A
5.3 MEDIUM
When compressing or decompressing a point on the NIST P-256 elliptic curve with an X coordinate of zero, the resulting output is not properly reduced modulo the P-256 field prime and is invalid. The resulting output will cause an error when used in other operations. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components.
CVE-2022-23001
2022-08-05
N/A
5.3 MEDIUM
When compressing or decompressing elliptic curve points using the Sweet B library, an incorrect choice of sign bit is used. An attacker with user level privileges and no other user's assistance can exploit this vulnerability with only knowledge of the public key and the library. The resulting output may cause an error when used in other operations; for instance, verification of a valid signature under a decompressed public key may fail. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components.
CVE-2022-23000
My Cloud Pr4100 Firmware, Westerndigital
Sandisk_x600_sd9tb8w-128g_firmware, Sandisk_x600_sd9tb8w-128g, Sandisk_x600_sd9tb8w-256g_firmware, Sandisk_x600_sd9tb8w-256g, Sandisk_x600_sd9tb8w-512g_firmware, Sandisk_x600_sd9tb8w-512g, Sandisk_x600_sd9tb8w-1t00_firmware, Sandisk_x600_sd9tb8w-1t00, Sandisk_x600_sd9tb8w-2t00_firmware, Sandisk_x600_sd9tb8w-2t00
2022-08-03
N/A
7.8 HIGH
The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an "SSL" context instead of "TLS" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability.
CVE-2022-2300
2022-07-12
N/A
5.4 MEDIUM
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.
CVE-2022-22999
My Cloud Pr4100 Firmware, Westerndigital
Sandisk_x600_sd9tb8w-128g_firmware, Sandisk_x600_sd9tb8w-128g, Sandisk_x600_sd9tb8w-256g_firmware, Sandisk_x600_sd9tb8w-256g, Sandisk_x600_sd9tb8w-512g_firmware, Sandisk_x600_sd9tb8w-512g, Sandisk_x600_sd9tb8w-1t00_firmware, Sandisk_x600_sd9tb8w-1t00, Sandisk_x600_sd9tb8w-2t00_firmware, Sandisk_x600_sd9tb8w-2t00
2022-08-01
N/A
4.8 MEDIUM
Western Digital My Cloud devices are vulnerable to a cross side scripting vulnerability that can allow a malicious user with elevated privileges access to drives being backed up to construct and inject JavaScript payloads into an authenticated user's browser. As a result, it may be possible to gain control over the authenticated session, steal data, modify settings, or redirect the user to malicious websites. The scope of impact can extend to other components.
CVE-2022-22998
2022-07-20
N/A
7.5 HIGH
Implemented protections on AWS credentials that were not properly protected.
CVE-2022-22997
2022-07-20
N/A
9.8 CRITICAL
Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices.
« Previous 1 … 10,624 10,625 10,626 10,627 10,628 … 11,258 Next »

Copyright CVE Vulnerabilities 2023
Data Sources:

  • NIST
  • MITRE
  • CVE Search
  • Open CVE