CVE-2017-9979

MEDIUM

OSNEXUS QuantaStor < 4.3.0 - Cross-Site Scripting via REST Error Response

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-9979. PoCs published by VVVSecurity.

AI-analyzed exploit summary The document describes CVE-2017-9979, an XSS vulnerability in OSNEXUS QuantaStor's API where unsanitized input in the 'qsCall' parameter or 'method' key in JSONRPC allows arbitrary JavaScript execution. It also details user enumeration via differing error messages during login attempts.

Description

On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be triggered containing the invalid method previously invoked. The response sent to the user isn't sanitized in this case. An attacker can leverage this issue by including arbitrary HTML or JavaScript code as a parameter, aka XSS.

Exploits (1)

exploitdb WRITEUP

by VVVSecurity · textwebappsxml

https://www.exploit-db.com/exploits/42517

View Code ZIP pw:eip

The document describes CVE-2017-9979, an XSS vulnerability in OSNEXUS QuantaStor's API where unsanitized input in the 'qsCall' parameter or 'method' key in JSONRPC allows arbitrary JavaScript execution. It also details user enumeration via differing error messages during login attempts.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: OSNEXUS QuantaStor v4 virtual appliance

No auth needed

Prerequisites: Network access to the target appliance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory, URL Repurposed x_refsource_misc

http://www.vvvsecurity.com/advisories/vvvsecurity-advisory-2017-6943.txt

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42517/

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2017/Aug/23

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/143780/OSNEXUS-QuantaStor-4-Information-Disclosure.html

Scores

CVSS v3 6.1

EPSS 0.0256

EPSS Percentile 83.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

osnexus/quantastor < 4.3.0

Published Aug 28, 2017

Tracked Since Feb 18, 2026