drobo CVE Vulnerabilities & Metrics

Focus on drobo vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About drobo Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with drobo. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total drobo CVEs: 15
Earliest CVE date: 03 Dec 2018, 22:29 UTC
Latest CVE date: 24 Feb 2020, 19:15 UTC

Latest CVE reference: CVE-2018-14705

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical drobo CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 6.21

Max CVSS: 10.0

Critical CVEs (≥9): 2

CVSS Range vs. Count

Range	Count
0.0-3.9	0
4.0-6.9	9
7.0-8.9	4
9.0-10.0	2

CVSS Distribution Chart

Top 5 Highest CVSS drobo CVEs

These are the five CVEs with the highest CVSS scores for drobo, sorted by severity first and recency.

CVE-2018-14705 drobo Published on 24 Feb 2020, 19:15 UTC (CVSS: 10.0)
In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the appl...
CVE-2018-14706 drobo Published on 03 Dec 2018, 22:29 UTC (CVSS: 10.0)
System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request.
CVE-2018-14707 drobo Published on 03 Dec 2018, 22:29 UTC (CVSS: 7.8)
Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to upload files to arbitrary locations.
CVE-2018-14708 drobo Published on 03 Dec 2018, 22:29 UTC (CVSS: 7.5)
An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic.
CVE-2018-14701 drobo Published on 03 Dec 2018, 22:29 UTC (CVSS: 7.5)
System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.

All CVEs for drobo

CVE-2018-14705 drobo vulnerability CVSS: 10.0 24 Feb 2020, 19:15 UTC

In Drobo 5N2 4.0.5, all optional applications lack any form of authentication/authorization validation. As a result, any user capable of accessing the device over the network may interact with and control these applications. This not only poses a severe risk to the availability of these applications, but also poses severe risks to the confidentiality and integrity of data stored within the applications and the device itself.

CVE-2018-14709 drobo vulnerability CVSS: 5.0 03 Dec 2018, 22:29 UTC

Incorrect access control in the Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to bypass authentication due to insecure token generation.

CVE-2018-14708 drobo vulnerability CVSS: 7.5 03 Dec 2018, 22:29 UTC

An insecure transport protocol used by Drobo Dashboard API on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to intercept network traffic.

CVE-2018-14707 drobo vulnerability CVSS: 7.8 03 Dec 2018, 22:29 UTC

Directory traversal in the Drobo Pix web application on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to upload files to arbitrary locations.

CVE-2018-14706 drobo vulnerability CVSS: 10.0 03 Dec 2018, 22:29 UTC

System command injection in the /DroboPix/api/drobopix/demo endpoint on Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the payload in a POST request.

CVE-2018-14704 drobo vulnerability CVSS: 4.3 03 Dec 2018, 22:29 UTC

Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via a malformed URL path.

CVE-2018-14703 drobo vulnerability CVSS: 5.0 03 Dec 2018, 22:29 UTC

Incorrect access control in the /mysql/api/droboapp/data endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve the MySQL database root password.

CVE-2018-14702 drobo vulnerability CVSS: 5.0 03 Dec 2018, 22:29 UTC

Incorrect access control in the /drobopix/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.

CVE-2018-14701 drobo vulnerability CVSS: 7.5 03 Dec 2018, 22:29 UTC

System command injection in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.

CVE-2018-14700 drobo vulnerability CVSS: 5.0 03 Dec 2018, 22:29 UTC

Incorrect access control in the /mysql/api/logfile.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve MySQL log files via the "name" URL parameter.

CVE-2018-14699 drobo vulnerability CVSS: 7.5 03 Dec 2018, 22:29 UTC

System command injection in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to execute system commands via the "username" URL parameter.

CVE-2018-14698 drobo vulnerability CVSS: 4.3 03 Dec 2018, 22:29 UTC

Cross-site scripting in the /DroboAccess/delete_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the "username" URL parameter.

CVE-2018-14697 drobo vulnerability CVSS: 4.3 03 Dec 2018, 22:29 UTC

Cross-site scripting in the /DroboAccess/enable_user endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows attackers to execute JavaScript via the username URL parameter.

CVE-2018-14696 drobo vulnerability CVSS: 5.0 03 Dec 2018, 22:29 UTC

Incorrect access control in the /mysql/api/drobo.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve sensitive system information.

CVE-2018-14695 drobo vulnerability CVSS: 5.0 03 Dec 2018, 22:29 UTC

Incorrect access control in the /mysql/api/diags.php endpoint in Drobo 5N2 NAS version 4.0.5-13.28.96115 allows unauthenticated attackers to retrieve diagnostic information via the "name" URL parameter.