Critical severity9.1NVD Advisory· Published Jul 10, 2023· Updated Jun 17, 2026
CVE-2021-4406
CVE-2021-4406
Description
An authenticated attacker is able to create alerts that trigger a stored XSS attack.
POC
- go to the alert manager
- open the ITSM tab
- add a webhook with the URL/service token value
' -h && id | tee /tmp/ttttttddddssss #' (whitespaces are tab characters)
- click add
- click apply
- create a test alert
- The test alert will run the command
“id | tee /tmp/ttttttddddssss” as root.
- after the test alert inspect
/tmp/ttttttddddssss it'll contain the ids of the root user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: 0
Patches
Vulnerability mechanics
References
5- csirt.divd.nl/CVE-2021-4406nvdThird Party Advisory
- www.osnexus.com/products/software-defined-storagenvdProduct
- csirt.divd.nl/DIVD-2021-00020/nvd
- csirt.divd.nl/cves/CVE-2021-4406/nvd
- www.divd.nl/DIVD-2021-00020nvd
News mentions
0No linked articles in our index yet.