Description
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be triggered containing the invalid method previously invoked. The response sent to the user isn't sanitized in this case. An attacker can leverage this issue by including arbitrary HTML or JavaScript code as a parameter, aka XSS.
Exploits (1)
References (4)
Core 4
Core References
Exploit, Third Party Advisory, URL Repurposed x_refsource_misc
http://www.vvvsecurity.com/advisories/vvvsecurity-advisory-2017-6943.txt
Exploit, Third Party Advisory, VDB Entry exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/42517/
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2017/Aug/23
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/143780/OSNEXUS-QuantaStor-4-Information-Disclosure.html
Scores
CVSS v3
6.1
EPSS
0.0240
EPSS Percentile
85.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
osnexus/quantastor
< 4.3.0
Published
Aug 28, 2017
Tracked Since
Feb 18, 2026