CVE-2023-22813

Device API endpoint missing access controls on Western Digital Mobile and Web Apps

Description

A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request. This issue affects My Cloud OS 5 Mobile App: before 4.21.0; My Cloud Home Mobile App: before 4.21.0; ibi Mobile App: before 4.21.0; My Cloud OS 5 Web App: before 4.26.0-6126; My Cloud Home Web App: before 4.26.0-6126; ibi Web App: before 4.26.0-6126.

Remediation

Solution:

  • Western Digital recommends that users of the mobile apps should promptly update the apps to reflect the latest changes. The web apps have automatically been updated.

Categories

3.3
CVSS
Severity: Low
CVSS 3.1 •
EPSS 0.14%
Vendor Advisory westerndigital.com
Affected: Western Digital My Cloud OS 5 Mobile App
Affected: Western Digital My Cloud Home Mobile App
Affected: SanDisk ibi Mobile App
Affected: Western Digital My Cloud OS 5 Web App
Affected: Western Digital My Cloud Home Web App
Affected: SanDisk ibi Web App
Published at:
Updated at:

References

Link Tags
https://www.westerndigital.com/support/product-security/wdc-23004-western-digital-my-cloud-os-5-my-cloud-home-sandisk-ibi-and-wd-cloud-mobile-and-web-app-update vendor advisory

Frequently Asked Questions

What is the severity of CVE-2023-22813?
CVE-2023-22813 has been scored as a low severity vulnerability.
How to fix CVE-2023-22813?
To fix CVE-2023-22813: Western Digital recommends that users of the mobile apps should promptly update the apps to reflect the latest changes. The web apps have automatically been updated.
Is CVE-2023-22813 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-22813 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-22813?
CVE-2023-22813 affects Western Digital My Cloud OS 5 Mobile App, Western Digital My Cloud Home Mobile App, SanDisk ibi Mobile App, Western Digital My Cloud OS 5 Web App, Western Digital My Cloud Home Web App, SanDisk ibi Web App.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.