Shodan
Vulnerabilities
Vulnerable Software
Drobo:  >> 5n2 Firmware  Security Vulnerabilities
CVE-2018-14705
In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the applications and the device itself.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-02-24
CVE-2018-14695
Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the "name" URL parameter.
CVSS Score
7.5
EPSS Score
0.005
Published
2018-12-03
CVE-2018-14696
Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.
CVSS Score
7.5
EPSS Score
0.005
Published
2018-12-03
CVE-2018-14697
Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the username URL parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-12-03
CVE-2018-14698
Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the "username" URL parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-12-03
CVE-2018-14699
System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
CVSS Score
9.8
EPSS Score
0.695
Published
2018-12-03
CVE-2018-14700
Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter.
CVSS Score
7.5
EPSS Score
0.005
Published
2018-12-03
CVE-2018-14701
System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.
CVSS Score
9.8
EPSS Score
0.502
Published
2018-12-03
CVE-2018-14702
Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.
CVSS Score
7.5
EPSS Score
0.005
Published
2018-12-03
CVE-2018-14703
Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password.
CVSS Score
9.8
EPSS Score
0.02
Published
2018-12-03


Products
Pricing
Contact Us

Shodan ® - All rights reserved