Lucene search

TwcertCVELIST:CVE-2021-37216

HistoryAug 02, 2021 - 11:18 a.m.

CVE-2021-37216 QSAN Storage Manager - Reflected Cross-Site Scripting

2021-08-0211:18:56

CWE-79

twcert

www.cve.org

qsan storage manager

remote attackers

reflected xss

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

46.0%

JSON

QSAN Storage Manager header page parameters does not filter special characters. Remote attackers can inject JavaScript without logging in and launch reflected XSS attacks to access and modify specific data.

CNA Affected

[
  {
    "product": "Storage Manager XN8008T",
    "vendor": "QSAN",
    "versions": [
      {
        "lessThanOrEqual": "3.3.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Storage Manager XN8024R",
    "vendor": "QSAN",
    "versions": [
      {
        "lessThanOrEqual": "3.1.5",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

www.twcert.org.tw/tw/cp-132-4962-44cd2-1.html

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

46.0%

JSON

Related for CVELIST:CVE-2021-37216