Storage Concentrator (SC & SCVM) is vulnerable to reflected cross-site scripting due to unsanitized content being echoed back in 404 error pages. An attacker can craft a malicious URL that, when visited by an authenticated user, causes arbitrary script content to execute within the victim's browser session in the context of the application. This could be leveraged to steal session cookies, redirect users, or perform unauthorized actions on behalf of the victim.
Metrics
Affected Vendors & Products
References
History
Wed, 01 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Stonefly
Stonefly storage Concentrator Stonefly storage Concentrator Virtual Machine |
|
| Vendors & Products |
Stonefly
Stonefly storage Concentrator Stonefly storage Concentrator Virtual Machine |
Tue, 30 Jun 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Storage Concentrator (SC & SCVM) is vulnerable to reflected cross-site scripting due to unsanitized content being echoed back in 404 error pages. An attacker can craft a malicious URL that, when visited by an authenticated user, causes arbitrary script content to execute within the victim's browser session in the context of the application. This could be leveraged to steal session cookies, redirect users, or perform unauthorized actions on behalf of the victim. | |
| Title | Cross-site Scripting in StoneFly Storage Concentrator | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: icscert
Published: 2026-06-30T22:27:37.001Z
Updated: 2026-07-01T15:35:58.586Z
Reserved: 2026-06-22T20:13:36.524Z
Link: CVE-2026-50040
Updated: 2026-07-01T15:35:54.779Z
No data.
No data.