CVE-2021-3529

Name of the Vulnerable Software and Affected Versions: noobaa-core versions prior to 5.7.0

Description: A flaw in noobaa-core results in the name of an arbitrarily URL being copied into an HTML document as plain text between tags, including potentially a payload script. The input was echoed unmodified in the application response, resulting in arbitrary JavaScript being injected into an application's response. The highest threat to the system is for confidentiality, availability, and integrity.

Recommendations: For versions prior to 5.7.0, update to version 5.7.0 or later to resolve the issue. As a temporary workaround, consider restricting the input that can be echoed in the application response to prevent arbitrary JavaScript injection.