Medium severity6.1NVD Advisory· Published Aug 28, 2017· Updated May 13, 2026

CVE-2017-9979

Description

On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the REST call invoked does not exist, an error will be triggered containing the invalid method previously invoked. The response sent to the user isn't sanitized in this case. An attacker can leverage this issue by including arbitrary HTML or JavaScript code as a parameter, aka XSS.

Affected products

Nexus Concepts/Quantastor
cpe:2.3:a:osnexus:quantastor:*:*:*:*:*:*:*:*
Range: <=4.3.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstormsecurity.com/files/143780/OSNEXUS-QuantaStor-4-Information-Disclosure.htmlnvdExploitThird Party AdvisoryVDB Entry
seclists.org/fulldisclosure/2017/Aug/23nvdExploitMailing ListThird Party Advisory
www.vvvsecurity.com/advisories/vvvsecurity-advisory-2017-6943.txtnvdExploitThird Party AdvisoryURL Repurposed
www.exploit-db.com/exploits/42517/nvdExploitThird Party AdvisoryVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.002
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000