Quantastor
Monthly
Authentication bypass via SQL injection in OSNexus QuantaStor SDS Manager allows unauthenticated remote attackers to log in as administrator by injecting crafted input into the login endpoint's username field. The flaw carries a CVSS 9.8 rating and grants full administrative control over the storage management plane without any valid credentials. No public exploit identified at time of analysis, though the vulnerability was disclosed by researchers at Black Lantern Security (BLSOPS).
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be triggered containing the invalid method previously invoked. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, a flaw was found with the error message sent as a response for users that don't exist on the system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.4%.
Authentication bypass via SQL injection in OSNexus QuantaStor SDS Manager allows unauthenticated remote attackers to log in as administrator by injecting crafted input into the login endpoint's username field. The flaw carries a CVSS 9.8 rating and grants full administrative control over the storage management plane without any valid credentials. No public exploit identified at time of analysis, though the vulnerability was disclosed by researchers at Black Lantern Security (BLSOPS).
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be triggered containing the invalid method previously invoked. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, a flaw was found with the error message sent as a response for users that don't exist on the system. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.4%.