CVE-2021-41570: 
Veritas NetBackup Client vulnerability analysis and mitigation

Veritas NetBackup OpsCenter Analytics 9.1 contains a Cross-Site Scripting (XSS) vulnerability that affects multiple input fields during the Settings/Configuration Add operation. The vulnerability was disclosed in April 2022 and assigned CVE-2021-41570. The affected fields include the NetBackup Master Server Name, Display Name, NetBackup User Name, and NetBackup Password fields (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue affects multiple versions of NetBackup OpsCenter and OpsCenter Analytics, including versions 8.2 and earlier, 8.3.x, 9.0.x, and 9.1.x (NVD).

The Cross-Site Scripting vulnerability allows authenticated users to inject malicious web scripts or HTML into several fields during the Settings/Configuration Add operation. This could potentially lead to the execution of arbitrary web scripts in users' browsers, compromising the confidentiality and integrity of user sessions (Vendor Advisory).

Veritas has provided multiple mitigation options: Users can upgrade to NetBackup 10.0 where no additional patch is required, or alternatively upgrade to version 9.0.0.1 or 9.1.0.1 and apply the appropriate hotfix. Users who have already applied the Hotfix for CVE-2021-44228 and/or CVE-2021-45046 require no further action (Vendor Advisory).