WDC Tracking Number: WDC-20003
Product Line/Web: My Cloud
Published: February 21, 2020
Last Updated: February 21, 2020
A reflected and DOM-based XSS vulnerability was addressed in mycloud.com cloud services which could allow an attacker to exfiltrate a user’s session and take over their cloud account. The victim can be tricked into issuing a request which could be used to execute a malicious script.
Resolved an issue where an attacker can execute arbitrary code in a user’s current browser session. With this XSS vulnerability, a malicious third-party website could modify the session cookie with a payload to help take over a victim’s browser. An attacker could then execute arbitrary code in the user’s browser session and access application data.
Affected cloud service URLs include idp.mycloud.com and files.mycloud.com. The vulnerability is fixed in the latest update version 2.2.0-134
CVE Number: CVE-2020-8960
Reported by: Frantisek Uhrecky