CVE-2017-9979
QuantaStor Software Defined Storage < 4.3.1 - Multiple Vulnerabilities
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
4Exploited in Wild
-Decision
Descriptions
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be triggered containing the invalid method previously invoked. The response sent to the user isn't sanitized in this case. An attacker can leverage this issue by including arbitrary HTML or JavaScript code as a parameter, aka XSS.
En la aplicación virtual OSNEXUS QuantaStor v4 en versiones anteriores a la 4.3.1, si la llamada REST no existe, aparecerá un error que contiene el método inválido que se ha invocado anteriormente. En este caso, la respuesta que se envía al usuario no está sanitizada. Un atacante podría aprovecharse de este problema mediante la inclusión de código HTML o JavaScript arbitrario como parámetro. Esto también se conoce como XSS.
OSNEXUS QuantaStor version 4 suffers from multiple information disclosure vulnerabilities including user enumeration.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-06-26 CVE Reserved
- 2017-08-14 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- 2025-01-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (4)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Osnexus Search vendor "Osnexus" | Quantastor Search vendor "Osnexus" for product "Quantastor" | <= 4.3.0 Search vendor "Osnexus" for product "Quantastor" and version " <= 4.3.0" | - |
Affected
| ||||||