CVE-2021-32534
QSAN SANOS - Command Injection
In short
QSAN SANOS storage systems have a factory reset function that doesn't properly filter user input, allowing attackers to inject and run unauthorized commands on the device without needing special permissions.
Technical detail
CWE-78 command injection in the factory reset endpoint allows unauthenticated remote attackers to execute arbitrary OS commands by supplying malicious parameters; no input validation or sanitization is performed on the reset function parameters, resulting in complete system compromise.
Summary generated and translated by AI from the official description.
QSAN SANOS factory reset function does not filter special parameters. Remote attackers can use this vulnerability to inject and execute arbitrary commands without permissions. The referred vulnerability has been solved with the updated version of QSAN SANOS v2.1.0.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
QSAN · SANOSWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →