CVE-2017-9979

Name of the Vulnerable Software and Affected Versions OSNEXUS QuantaStor versions prior to 4.3.1

Description The issue allows an attacker to inject arbitrary HTML or JavaScript code as a parameter in a REST call, potentially leading to a cross-site scripting (XSS) attack. When an invalid REST call is invoked, the error response contains the previously invoked method, which is not sanitized. This lack of sanitization enables the inclusion of malicious code.

Recommendations For OSNEXUS QuantaStor versions prior to 4.3.1, update to version 4.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API to minimize the risk of exploitation. Avoid using parameters that could be used to inject malicious code in the affected API endpoint until the issue is resolved.