Storage Concentrator Virtual Machine
Monthly
Reflected XSS in Stonefly Storage Concentrator (SC) and Storage Concentrator Virtual Machine (SCVM) allows an unauthenticated attacker to craft a malicious URL that, when opened by an authenticated storage administrator, causes arbitrary JavaScript to execute within the victim's browser session under the application's origin. The vulnerability stems from unsanitized user-supplied content being echoed directly into 404 error page responses, enabling session cookie theft, unauthorized administrative actions, or user redirection against storage management infrastructure. Reported via ICS-CERT (CISA advisory ICSA-26-181-06), no public exploit code or CISA KEV listing has been identified at time of analysis, though the ICS/OT context amplifies the downstream impact of successful exploitation.
Reflected XSS in Stonefly Storage Concentrator (SC) and Storage Concentrator Virtual Machine (SCVM) allows an unauthenticated attacker to craft a malicious URL that, when opened by an authenticated storage administrator, causes arbitrary JavaScript to execute within the victim's browser session under the application's origin. The vulnerability stems from unsanitized user-supplied content being echoed directly into 404 error page responses, enabling session cookie theft, unauthorized administrative actions, or user redirection against storage management infrastructure. Reported via ICS-CERT (CISA advisory ICSA-26-181-06), no public exploit code or CISA KEV listing has been identified at time of analysis, though the ICS/OT context amplifies the downstream impact of successful exploitation.