xo-web@5.3.0 vulnerabilities

Web interface client for Xen-Orchestra

Direct Vulnerabilities

Known vulnerabilities in the xo-web package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Improper Access Control

Affected versions of this package are vulnerable to Improper Access Control. Permissions enforcement through WebSockets are not thoroughly checked and can lead to an unprivileged user to obtain data only accessible by admin, such as VMs, Backups, Audit, Users, and Groups.

The WebSockets that control the application API allow access to certain elements based purely on the response. For example, an attacker could manipulate the response of the resourceSet.getAll method to cause the UI to expose admin-level data.

How to fix Improper Access Control?

There is no fixed version for xo-web.

*