CVE-2021-32507
QSAN Storage Manager - Absolute Path Traversal via FileDownload function
In short
A flaw in QSAN Storage Manager's file download function allows authenticated users to download any file from the server by manipulating the file path parameter, potentially exposing sensitive data like configuration files or credentials.
Technical detail
An absolute path traversal vulnerability in the FileDownload endpoint permits authenticated attackers to bypass directory restrictions and retrieve arbitrary files by crafting malicious Url path parameters. The vulnerability requires prior authentication but enables unauthorized file access with confidentiality impact; remediated in v3.3.3.
Summary generated and translated by AI from the official description.
Absolute Path Traversal vulnerability in FileDownload in QSAN Storage Manager allows remote authenticated attackers download arbitrary files via the Url path parameter. The referred vulnerability has been solved with the updated version of QSAN Storage Manager v3.3.3.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
QSAN · Storage ManagerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →