Added path variables checks to confirm data validity to prevent a potential attacker from calling a path they are not authorized to see. This prevents an attacker from gaining knowledge of the directory architecture.
Secured the Web Admin Dashboard by using enhanced session management cookies preventing potential attackers from cloning and compromising a user session (CWE-287)
The web file viewer had an issue with insufficient entropy that could allow an attacker to generate their own tokens to download files within a user’s own share if they had a token for the download link. The issue was resolved by enhancing token entropy to make it difficult for an attacker to “crack” the token in order to reveal the seed and formulate the hash.
Improved credential handling for upload-logs-to-support option. Removed hardcoded FTP credentials that were used when uploading logs. This prevents an attacker from uploading potentially malicious files to our FTP server.
Resolved leakage of debug messages in the web interface.
A warning has been added to the firmware when enabling the remote administrative dashboard feature. It is recommended to use the mycloud.com interface to interact with your My Cloud device remotely instead.