CVE-2021-4406 – Authenticated Remote COmmand Execution as root in OSNEXUS QuantaStor version 6.0.0.355 and others
https://notcve.org/view.php?id=CVE-2021-4406
An administrator is able to execute commands as root via the alerts management dialog • https://csirt.divd.nl/CVE-2021-4406 https://www.divd.nl/DIVD-2021-00020 https://www.osnexus.com/products/software-defined-storage https://csirt.divd.nl/DIVD-2021-00020 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2021-42081 – Authenticated Remote Command Execution vulnerability in OSNEXUS QuantaStor before 6.0.0.355
https://notcve.org/view.php?id=CVE-2021-42081
An authenticated administrator is allowed to remotely execute arbitrary shell commands via the API. • https://csirt.divd.nl/CVE-2021-42081 https://www.divd.nl/DIVD-2021-00020 https://www.osnexus.com/products/software-defined-storage https://www.wbsec.nl/osnexus https://csirt.divd.nl/DIVD-2021-00020 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2021-42079 – SSRF vulnerability in OSNEXUS QuantaStor before 6.0.0.355
https://notcve.org/view.php?id=CVE-2021-42079
An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests. • https://csirt.divd.nl/CVE-2021-42079 https://www.divd.nl/DIVD-2021-00020 https://www.osnexus.com/products/software-defined-storage https://www.wbsec.nl/osnexus https://cisrt.divd.nl/DIVD-2021-00020 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2021-42080 – Reflected XSS vulnerability in OSNEXUS QuantaStor before 6.0.0.355
https://notcve.org/view.php?id=CVE-2021-42080
An attacker is able to launch a Reflected XSS attack using a crafted URL. • https://csirt.divd.nl/CVE-2021-42080 https://www.divd.nl/DIVD-2021-00020 https://www.osnexus.com/products/software-defined-storage https://www.wbsec.nl/osnexus https://csirt.divd.nl/DIVD-2021-00020 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-42082 – Local Privilege Escalation to root in OSNEXUS QuantaStor before 6.0.0.355
https://notcve.org/view.php?id=CVE-2021-42082
Local users are able to execute scripts under root privileges. • https://csirt.divd.nl/CVE-2021-42082 https://www.divd.nl/DIVD-2021-00020 https://www.osnexus.com/products/software-defined-storage https://www.wbsec.nl/osnexus https://csirt.divd.nl/DIVD-2021-00020 • CWE-269: Improper Privilege Management •