CVE-2021-32509
QSAN Storage Manager - UNIX Symbolic Link (Symlink) Following via FileviewDoc function
In short
QSAN Storage Manager has a flaw where authenticated users can access files they shouldn't by manipulating symbolic links through a URL parameter. This allows attackers to read sensitive files on the system.
Technical detail
An absolute path traversal vulnerability exists in the FileviewDoc function of QSAN Storage Manager, exploitable by authenticated attackers who inject symbolic link paths via the Url parameter. The vulnerability enables unauthorized file access, bypassing intended access controls. Fixed in v3.3.3.
Summary generated and translated by AI from the official description.
Absolute Path Traversal vulnerability in FileviewDoc in QSAN Storage Manager allows remote authenticated attackers access arbitrary files by injecting the Symbolic Link following the Url path parameter. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
QSAN · Storage ManagerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →