Description
Multiple functions in NetApp OnCommand System Manager before 8.3.2 do not properly escape special characters, which allows remote authenticated users to execute arbitrary API calls via unspecified vectors.
References (2)
Core 2
Core References
Patch, Vendor Advisory x_refsource_confirm
https://kb.netapp.com/support/s/article/cve-2016-3063-zapi-injection-vulnerability-in-oncommand-system-manager
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20160310-0004/
Scores
CVSS v3
7.5
EPSS
0.0118
EPSS Percentile
63.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-116
Status
published
Products (1)
netapp/oncommand_system_manager
< 8.3.1
Published
Feb 07, 2017
Tracked Since
Feb 18, 2026