XSS in Osnexus Quantastor
CVE-2021-42080
An attacker is able to launch a Reflected XSS attack using a crafted URL. POC: Visit the following URL https://<IPADDRESS>:8153/qstorapi/echo?inputMessage=<img%20src=x%20onerror=alert(document.cookie)>
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.002 (39.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.4 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N.
Affected products
- Osnexus Quantastor — versions 0
Weakness classification (CWE)
References
- www.wbsec.nl/osnexus (third-party-advisory, technical-description)
- csirt.divd.nl/DIVD-2021-00020/ (third-party-advisory)
- www.osnexus.com/products/software-defined-storage (product)
- csirt.divd.nl/CVE-2021-42080 (third-party-advisory, technical-description, exploit)
Frequently asked questions
- What is CVE-2021-42080?
- CVE-2021-42080 is a high-severity vulnerability in Osnexus Quantastor, classified under Cross-site Scripting. CVSS score: 7.4/10. Published 2023-07-10.
- How severe is CVE-2021-42080?
- High severity. CVSS v3 base score is 7.4 out of 10.