Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.
References
Link | Resource |
---|---|
https://github.com/vatesfr/xen-orchestra/issues/5712 | Exploit Issue Tracking Third Party Advisory |
https://github.com/vatesfr/xen-orchestra/issues/5712 | Exploit Issue Tracking Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 06:13
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/vatesfr/xen-orchestra/issues/5712 - Exploit, Issue Tracking, Third Party Advisory |
12 Jul 2022, 17:42
Type | Values Removed | Values Added |
---|---|---|
CWE | NVD-CWE-Other |
15 Jul 2021, 18:13
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 4.0
v3 : 4.3 |
CPE | cpe:2.3:a:xen-orchestra:xo-web:*:*:*:*:*:*:*:* cpe:2.3:a:xen-orchestra:xo-server:*:*:*:*:*:*:*:* |
|
CWE | CWE-863 | |
References | (MISC) https://github.com/vatesfr/xen-orchestra/issues/5712 - Exploit, Issue Tracking, Third Party Advisory |
12 Jul 2021, 14:20
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-07-12 14:15
Updated : 2024-11-21 06:13
NVD link : CVE-2021-36383
Mitre link : CVE-2021-36383
CVE.ORG link : CVE-2021-36383
JSON object : View
Products Affected
xen-orchestra
- xo-server
- xo-web
CWE