Shodan
Vulnerabilities
Vulnerable Software
Drobo:  >> 5n2 Firmware  >> 4.0.5-13.28.96115  Security Vulnerabilities
CVE-2018-14695
Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the "name" URL parameter.
CVSS Score
7.5
EPSS Score
0.005
Published
2018-12-03
CVE-2018-14696
Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.
CVSS Score
7.5
EPSS Score
0.005
Published
2018-12-03
CVE-2018-14697
Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the username URL parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-12-03
CVE-2018-14698
Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the "username" URL parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-12-03
CVE-2018-14699
System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
CVSS Score
9.8
EPSS Score
0.695
Published
2018-12-03
CVE-2018-14700
Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter.
CVSS Score
7.5
EPSS Score
0.005
Published
2018-12-03
CVE-2018-14701
System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
CVSS Score
9.8
EPSS Score
0.502
Published
2018-12-03
CVE-2018-14702
Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.
CVSS Score
7.5
EPSS Score
0.005
Published
2018-12-03
CVE-2018-14703
Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password.
CVSS Score
9.8
EPSS Score
0.02
Published
2018-12-03
CVE-2018-14704
Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-12-03


Products
Pricing
Contact Us

Shodan ® - All rights reserved