CVE-2017-9978

MEDIUM

OSNEXUS QuantaStor < 4.3.0 - User Enumeration via Error Message

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-9978. PoCs published by VVVSecurity.

AI-analyzed exploit summary The document describes CVE-2017-9979, an XSS vulnerability in OSNEXUS QuantaStor's API where unsanitized input in the 'qsCall' parameter or 'method' key in JSONRPC allows arbitrary JavaScript execution. It also details user enumeration via differing error messages during login attempts.

Description

On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, a flaw was found with the error message sent as a response for users that don't exist on the system. An attacker could leverage this information to fine-tune and enumerate valid accounts on the system by searching for common usernames.

Exploits (1)

exploitdb WRITEUP

by VVVSecurity · textwebappsxml

https://www.exploit-db.com/exploits/42517

View Code ZIP pw:eip

The document describes CVE-2017-9979, an XSS vulnerability in OSNEXUS QuantaStor's API where unsanitized input in the 'qsCall' parameter or 'method' key in JSONRPC allows arbitrary JavaScript execution. It also details user enumeration via differing error messages during login attempts.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: OSNEXUS QuantaStor v4 virtual appliance

No auth needed

Prerequisites: Network access to the target appliance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory, URL Repurposed x_refsource_misc

http://www.vvvsecurity.com/advisories/vvvsecurity-advisory-2017-6943.txt

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42517/

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2017/Aug/23

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/143780/OSNEXUS-QuantaStor-4-Information-Disclosure.html

Scores

CVSS v3 5.3

EPSS 0.0475

EPSS Percentile 90.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-200

Status published

Products (1)

osnexus/quantastor < 4.3.0

Published Aug 28, 2017

Tracked Since Feb 18, 2026