drobo 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に パス処理の欠陥 and vendor risk cross-site scripting などに関し、一部は vendor impact session compromise を招き、vendor surface production workloads and vendor surface software deployment 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2018-14705 | In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the applications and the device itself. | [email protected] | 9.8 | 1.85% | 2020-02-24 | 2026-06-16 |
| CVE-2018-14709 | Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation. | [email protected] | 9.8 | 1.91% | 2018-12-03 | 2026-06-16 |
| CVE-2018-14708 | An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic. | [email protected] | 9.8 | 1.27% | 2018-12-03 | 2026-06-16 |
| CVE-2018-14707 | Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to upload files to arbitrary locations. | [email protected] | 7.5 | 27.82% | 2018-12-03 | 2026-06-16 |
| CVE-2018-14706 | System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request. | [email protected] | 9.8 | 17.11% | 2018-12-03 | 2026-06-16 |
| CVE-2018-14704 | Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path. | [email protected] | 6.1 | 0.71% | 2018-12-03 | 2026-06-16 |
| CVE-2018-14703 | Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password. | [email protected] | 9.8 | 1.34% | 2018-12-03 | 2026-06-16 |
| CVE-2018-14702 | Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information. | [email protected] | 7.5 | 1.31% | 2018-12-03 | 2026-06-16 |
| CVE-2018-14701 | System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter. | [email protected] | 9.8 | 19.99% | 2018-12-03 | 2026-06-16 |
| CVE-2018-14700 | Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter. | [email protected] | 7.5 | 1.31% | 2018-12-03 | 2026-06-16 |
| CVE-2018-14699 | System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter. | [email protected] | 9.8 | 29.40% | 2018-12-03 | 2026-06-16 |
| CVE-2018-14698 | Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the "username" URL parameter. | [email protected] | 6.1 | 0.71% | 2018-12-03 | 2026-06-16 |
| CVE-2018-14697 | Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the username URL parameter. | [email protected] | 6.1 | 0.71% | 2018-12-03 | 2026-06-16 |
| CVE-2018-14696 | Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information. | [email protected] | 7.5 | 1.31% | 2018-12-03 | 2026-06-16 |
| CVE-2018-14695 | Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the "name" URL parameter. | [email protected] | 7.5 | 1.31% | 2018-12-03 | 2026-06-16 |