Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Authenticated Remote COmmand Execution as root in OSNEXUS QuantaStor version 6.0.0.355 and others
Vulnerability Description
An authenticated attacker is able to create alerts that trigger a stored XSS attack. POC * go to the alert manager * open the ITSM tab * add a webhook with the URL/service token value ' -h && id | tee /tmp/ttttttddddssss #' (whitespaces are tab characters) * click add * click apply * create a test alert * The test alert will run the command “id | tee /tmp/ttttttddddssss” as root. * after the test alert inspect /tmp/ttttttddddssss it'll contain the ids of the root user.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
在命令中使用的特殊元素转义处理不恰当(命令注入)
Vulnerability Title
OSNEXUS QuantaStor 命令注入漏洞
Vulnerability Description
OSNEXUS QuantaStor是美国OSNEXUS公司的一个统一的软件定义存储平台。 OSNEXUS QuantaStor 6.0.0.355之前版本存在安全漏洞。攻击者利用该漏洞可以以root身份执行命令。
CVSS Information
N/A
Vulnerability Type
N/A