CVE-2020-22428

Vulnerability

SolarWinds Serv-U versions before 15.1.6 Hotfix 3 are affected by a stored Cross-Site Scripting (XSS) vulnerability. The flaw resides in the directory name field, which is normally entered by an administrator. A JavaScript payload placed as a directory name is not sanitized properly, leading to execution in the context of the application [1].

Exploitation

An attacker must have administrative access to the SolarWinds Serv-U management interface to create or rename a directory to a malicious name containing a JavaScript payload. When other administrators or users view the directory listing, the script executes in their browser. No additional authentication or interaction from the victim is required beyond viewing the affected page [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user who views the directory list. This can lead to session hijacking, defacement, or theft of sensitive information within the application context. The attack is limited to the permissions of the affected user [1].

Mitigation

The vulnerability is fixed in SolarWinds Serv-U version 15.1.6 Hotfix 3 and later. Administrators should upgrade to the patched version. As a workaround, restrict administrative access to trusted users only, as the attack requires admin privileges to inject the payload [1].