My Cloud, My Cloud Home and SanDisk ibi Web Version 4.13.0
WDC Tracking Number: WDC-21001
Product Line: My Cloud, My Cloud Home and SanDisk ibi
Published: January 19, 2021
Last Updated: January 19, 2021
A reflected XSS vulnerability was addressed in My Cloud, My Cloud Home and SanDisk ibi cloud services which could allow an attacker to execute arbitrary client-side code in the user's browser session or allow the attacker to modify the session cookie with a payload that could take over a victim's browser.
Resolved the XSS vulnerability by data filtering and encoding.
Affected cloud service URLs include os5.mycloud.com, home.mycloud.com and ibi.sandisk.com. The vulnerability is fixed in the latest updated version 4.13.0
Reported by: Frantisek Uhrecky from Citadelo