Vulnerabilities in Twonky e.g. exposes dir and filenames on HDD root (CVE-2018-7171, CVE-2018-7203)

https://www.exploit-db.com/exploits/44350/
https://packetstormsecurity.com/files/146938/TwonkyMedia-Server-7.0.11-8.5-Directory-Traversal.html
https://packetstormsecurity.com/files/146939/TwonkyMedia-Server-7.0.11-8.5-Cross-Site-Scripting.html

Recently two CVEs CVE-2018-7171 and CVE-2018-7203 have been published where one can be exploited with tools like https://github.com/mechanico/sharingIsCaring/blob/master/twonky.py to get access to the name of session files stored on the filesystem and to misuse it to login into the device.

I have verified the CVE-2018-7171 with the twonky.py linked above and can confirm that Twonky 7.2.9-6 shipped with the My Cloud Mirror Gen1 in Firmware version 2.11.169 (01/12/18) is affected by this vulnerability.

The advisory lists additional MyCloud devices to be vulnerable:

WDMyCloud,
MyCloudEX2Ultra,
WDMyCloudEX4,
WDMyCloudEX2100,

To mitigate this vulnerability you can browse to:

http://mywddevice:9000

and set a strong password via the advanced settings. This blocks access to the rpc methods used to exploit this vulnerability.