CVE-2021-37216: Reflected XSS in QSAN Storage Manager

- 1 min


QSAN Storage Manager header page parameters does not filter special characters. Remote attackers can inject JavaScript without logging in and launch reflected XSS attacks to access and modify specific data.

Proof of Concept

Inject one of the headers e.g. in User-Agent then send a request to http_header.php:

$ curl http://host/http_header.php -A "<script>alert(1)</script>"