Description
Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.
References (1)
Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/vatesfr/xen-orchestra/issues/5712
Scores
CVSS v3
4.3
EPSS
0.0071
EPSS Percentile
49.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
Status
published
Products (4)
npm/xo-server
0npm
npm/xo-web
0npm
xen-orchestra/xo-server
< 5.84.0
xen-orchestra/xo-web
< 5.80.0
Published
Jul 12, 2021
Tracked Since
Feb 18, 2026