mycloud.com Web Version 2.2.0-134, XSS Vulnerability


WDC Tracking Number: WDC-20003
Product Line/Web:  My Cloud
Published: February 21, 2020

Last Updated: February 21, 2020

Description

A reflected and DOM-based XSS vulnerability was addressed in mycloud.com cloud services which could allow an attacker to exfiltrate a user’s session and take over their cloud account. The victim can be tricked into issuing a request which could be used to execute a malicious script.

Site Impact
Last Updated
mycloud.com
March 6, 2020

Advisory Summary

Resolved an issue where an attacker can execute arbitrary code in a user’s current browser session. With this XSS vulnerability, a malicious third-party website could modify the session cookie with a payload to help take over a victim’s browser. An attacker could then execute arbitrary code in the user’s browser session and access application data.

Affected cloud service URLs include idp.mycloud.com and files.mycloud.com. The vulnerability is fixed in the latest update version 2.2.0-134

CVE Number: CVE-2020-8960

Reported by: Frantisek Uhrecky