Improper Access Control

Affecting xo-server package, ALL versions

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Improper Access Control. Permissions enforcement through WebSockets are not thoroughly checked and can lead to an unprivileged user to obtain data only accessible by admin, such as VMs, Backups, Audit, Users, and Groups.

The WebSockets that control the application API allow access to certain elements based purely on the response. For example, an attacker could manipulate the response of the resourceSet.getAll method to cause the UI to expose admin-level data.

Remediation

There is no fixed version for xo-server.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P
Credit
@r3naissance
CVE
CVE-2021-36383
CWE
CWE-284
Snyk ID
SNYK-JS-XOSERVER-1316690
Disclosed
13 Jul, 2021
Published
14 Jul, 2021