Medium severity4.3NVD Advisory· Published Jul 12, 2021· Updated Jun 17, 2026
CVE-2021-36383
CVE-2021-36383
Description
Xen Orchestra (with xo-web through 5.80.0 and xo-server through 5.84.0) mishandles authorization, as demonstrated by modified WebSocket resourceSet.getAll data is which the attacker changes the permission field from none to admin. The attacker gains access to data sets such as VMs, Backups, Audit, Users, and Groups.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
xo-webnpm | <= 5.80.0 | — |
xo-servernpm | <= 5.84.0 | — |
Affected products
3- Xen Orchestra/Xen Orchestradescription
- ghsa-coords2 versions
<= 5.84.0+ 1 more
- (no CPE)range: <= 5.84.0
- (no CPE)range: <= 5.80.0
Patches
Vulnerability mechanics
References
3- github.com/vatesfr/xen-orchestra/issues/5712nvdExploitIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-grvm-gcqf-gh8qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36383ghsaADVISORY
News mentions
0No linked articles in our index yet.