VYPR
Medium severity4.3NVD Advisory· Published Jul 12, 2021· Updated Jun 17, 2026

CVE-2021-36383

CVE-2021-36383

Description

Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
xo-webnpm
<= 5.80.0
xo-servernpm
<= 5.84.0

Affected products

3
  • Xen Orchestra/Xen Orchestradescription
  • ghsa-coords2 versions
    <= 5.84.0+ 1 more
    • (no CPE)range: <= 5.84.0
    • (no CPE)range: <= 5.80.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.