CVE-2021-36383
Last modified
CVE-2021-36383 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.. EPSS estimates a 0.71% chance of exploitation in the next 30 days.
Description
Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Xen-Orchestra | Xo-Server | <= 5.84.0 |
| Xen-Orchestra | Xo-Web | <= 5.80.0 |
References
- https://github.com/vatesfr/xen-orchestra/issues/5712Exploit, Issue Tracking, Third Party Advisory
- https://github.com/vatesfr/xen-orchestra/issues/5712Exploit, Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-36383?
How severe is CVE-2021-36383?
How do I fix CVE-2021-36383?
Are you affected by CVE-2021-36383?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST