CVEs-PoC/2021/CVE-2021-37216.md

### [CVE-2021-37216](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37216)
![](https://img.shields.io/static/v1?label=Product&message=Storage%20Manager%20XN8008T&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=Storage%20Manager%20XN8024R&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%3D%203.1.5%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3C%3D%203.3.2%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-79%20Cross-site%20Scripting%20(XSS)&color=brighgreen)

### Description

QSAN Storage Manager header page parameters does not filter special characters. Remote attackers can inject JavaScript without logging in and launch reflected XSS attacks to access and modify specific data.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates