xo-server@4.10.0 vulnerabilities

Server part of Xen-Orchestra

latest version

5.7.4

first published

10 years ago

latest version published

7 years ago

licenses detected

AGPL-3.0
>=0

View xo-server package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the xo-server package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Improper Access Control Affected versions of this package are vulnerable to Improper Access Control. Permissions enforcement through WebSockets are not thoroughly checked and can lead to an unprivileged user to obtain data only accessible by admin, such as VMs, Backups, Audit, Users, and Groups. The WebSockets that control the application API allow access to certain elements based purely on the response. For example, an attacker could manipulate the response of the `resourceSet.getAll` method to cause the UI to expose admin-level data. How to fix Improper Access Control? There is no fixed version for `xo-server`.	*

Improper Access Control

Affected versions of this package are vulnerable to Improper Access Control. Permissions enforcement through WebSockets are not thoroughly checked and can lead to an unprivileged user to obtain data only accessible by admin, such as VMs, Backups, Audit, Users, and Groups.

The WebSockets that control the application API allow access to certain elements based purely on the response. For example, an attacker could manipulate the response of the resourceSet.getAll method to cause the UI to expose admin-level data.

How to fix Improper Access Control?

There is no fixed version for xo-server.

Go back to all versions of this package