Osnexus Quantastor
9 CVEs affecting Osnexus Quantastor. Latest disclosed: 2026-06-04. Critical: 3, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-10880 | Critical | 9.8 | 2026-06-04 | OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint. The username field is not properly sanitized before being incorporated int… |
CVE-2021-4406 | Critical | 9.1 | 2023-07-10 | An authenticated attacker is able to create alerts that trigger a stored XSS attack. POC * go to the alert manager * open the ITSM tab * add a we… |
CVE-2021-42081 | Critical | 9.1 | 2023-07-10 | An authenticated administrator is allowed to remotely execute arbitrary shell commands via the API. POC http://<IP_ADDRESS>/qstorapi/storageSystemModify?stora… |
CVE-2021-42083 | High | 8.7 | 2023-07-10 | An authenticated attacker is able to create alerts that trigger a stored XSS attack. POC * go to the alert manager * open the ITSM tab * add a we… |
CVE-2021-42082 | High | 7.8 | 2023-07-10 | Local users are able to execute scripts under root privileges. POC On the local host run the following command: curl 'localhost:8154/qstor/qs_upgrade.py?tas… |
CVE-2021-42080 | High | 7.4 | 2023-07-10 | An attacker is able to launch a Reflected XSS attack using a crafted URL. POC: Visit the following URL https://<IPADDRESS>:8153/qstorapi/echo?inputMessage=<i… |
CVE-2021-42079 | Medium | 6.2 | 2023-07-10 | An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests. POC Step 1: Prepar… |
CVE-2017-9979 | Medium | 6.1 | 2017-08-28 | On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be triggered containing the invalid method… |
CVE-2017-9978 | Medium | 5.3 | 2017-08-28 | On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, a flaw was found with the error message sent as a response for users that don't exist on the syste… |