Impact
The vulnerability is a reflected cross‑site scripting flaw in StoneFly Storage Concentrator and its virtual machine edition. Unsanitized user input is echoed back in 404 error pages. An attacker can craft a malicious URL, and when an authenticated user follows it, arbitrary JavaScript is executed inside the victim’s browser session in the context of the application. This allows the attacker to steal session cookies, redirect the user, or perform unauthorized actions as the victim.
Affected Systems
The affected products are StoneFly Storage Concentrator and StoneFly Storage Concentrator Virtual Machine. All releases older than Storage Concentrator version 8.0.4.29 are vulnerable; the vendor recommends upgrading to 8.0.4.29 or later.
Risk and Exploitability
The CVSS score of 5.1 indicates moderate risk. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited publicly known exploitation. The likely attack vector requires a malicious link to be presented to an authenticated user, who then initiates the reflected XSS. If successfully exploited, the attacker could hijack user sessions or carry out malicious actions within the affected application. The overall risk is moderate, but organizations should still treat it with priority because of the potential for credential theft and unauthorized operations.
OpenCVE Enrichment