CVE-2021-32604

Vulnerability

Share/IncomingWizard.htm in SolarWinds Serv-U before 15.2.3 mishandles the user-supplied SenderEmail parameter, leading to a stored cross-site scripting (XSS) vulnerability. The code path is reachable when a user interacts with the share file wizard functionality, and the parameter is not properly sanitized before being stored or rendered.

Exploitation

An attacker needs to supply a malicious payload in the SenderEmail parameter. This can be done by crafting a specially crafted URL or form submission. When the affected page processes the parameter, the injected script is stored and later executed in the context of other users' browsers who view the share wizard page. No authentication is explicitly required to trigger the stored XSS, as the vulnerable component may be accessible to unauthenticated users.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session token theft, account impersonation, defacement, or redirection to malicious sites. The attack results in information disclosure and potential compromise of the user's session within the SolarWinds Serv-U interface.

Mitigation

The vulnerability is fixed in SolarWinds Serv-U version 15.2.3. Users should upgrade to this version or later. No workarounds have been disclosed for versions prior to the fix. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.