CVE-2017-9979
Summary
| CVE | CVE-2017-9979 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-08-28 19:29:00 UTC |
| Updated | 2017-09-08 02:28:00 UTC |
| Description | On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be triggered containing the invalid method previously invoked. The response sent to the user isn't sanitized in this case. An attacker can leverage this issue by including arbitrary HTML or JavaScript code as a parameter, aka XSS. |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Osnexus | Quantastor | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| OSNEXUS QuantaStor 4 Information Disclosure ≈ Packet Storm | MISC | packetstormsecurity.com | Exploit, Third Party Advisory, VDB Entry |
| 404 Not Found | MISC | www.vvvsecurity.com | Exploit, Third Party Advisory |
| Full Disclosure: QuantaStor Software Define Storage mmultiple vulnerabilities | FULLDISC | seclists.org | Exploit, Mailing List, Third Party Advisory |
| QuantaStor Software Defined Storage < 4.3.1 - Multiple Vulnerabilities - XML webapps Exploit | EXPLOIT-DB | www.exploit-db.com | Exploit, Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.