CVE-2021-25179

Vulnerability

SolarWinds Serv-U before version 15.2 is affected by a reflected Cross Site Scripting (XSS) vulnerability in the handling of the HTTP Host header [1]. The application does not properly sanitize the Host header value before reflecting it in error responses or logs, allowing an attacker to inject arbitrary HTML or JavaScript. Affected versions are all releases prior to 15.2.

Exploitation

To exploit this vulnerability, an attacker must be able to send a crafted HTTP request to a SolarWinds Serv-U server. The attacker sets the Host header of the request to contain malicious JavaScript code, such as a payload that executes in the context of the victim's browser session. The attack does not require authentication, and no user interaction is needed beyond the victim viewing a page that reflects the malicious header [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser when the Host header is reflected. This could lead to session hijacking, credential theft, or defacement of the web interface, depending on the user's privileges. The impact is limited to the browser session and does not grant direct server access or privileges [1].

Mitigation

SolarWinds addressed this vulnerability in Serv-U version 15.2, released in early 2021. Users should upgrade to version 15.2 or later to eliminate the vulnerability. No workaround is documented in the available references [1].