CVE-2021-36383

MEDIUM

Xen Orchestra <5.84.0 - Privilege Escalation

Title source: llm
STIX 2.1

Description

Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.

References (1)

Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/vatesfr/xen-orchestra/issues/5712

Scores

CVSS v3 4.3
EPSS 0.0071
EPSS Percentile 49.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

Status published
Products (4)
npm/xo-server 0npm
npm/xo-web 0npm
xen-orchestra/xo-server < 5.84.0
xen-orchestra/xo-web < 5.80.0
Published Jul 12, 2021
Tracked Since Feb 18, 2026