CVE-2021-36383

Name of the Vulnerable Software and Affected Versions Xen Orchestra versions through 5.80.0 (xo-web) and through 5.84.0 (xo-server)

Description The issue concerns mishandled authorization. An attacker can modify WebSocket resourceSet.getAll data, changing the permission field from none to admin, thereby gaining access to sensitive data sets including VMs, Backups, Audit, Users, and Groups.

Recommendations For versions through 5.80.0 (xo-web) and through 5.84.0 (xo-server), as a temporary workaround, consider restricting access to the resourceSet.getAll WebSocket endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.