CVE-2021-36383

Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 36%
VendorProductVersion
xen-orchestraxo-server
𝑥
≤ 5.84.0
xen-orchestraxo-web
𝑥
≤ 5.80.0
𝑥
= Vulnerable software versions
References
https://github.com/vatesfr/xen-orchestra/issues/5712
https://github.com/vatesfr/xen-orchestra/issues/5712