Stored and DOM XSS in QoE Applications: Orion Platform

Vulnerability

A stored and DOM-based cross-site scripting (XSS) vulnerability exists in the Quality of Experience (QoE) application input field of the SolarWinds Platform. Insufficient sanitization of user-supplied input allows an attacker to inject malicious script code that is stored and later executed in the context of the victim's session [1]. This issue affects versions prior to SolarWinds Platform 2022.3.0 [1].

Exploitation

An attacker with authenticated access to the SolarWinds Platform (any role that can input data into the QoE application input field) can inject a malicious payload into the vulnerable input field. The injected script is stored on the server and subsequently executed in the browser of any user who views the affected page, leading to a stored XSS attack. Because the vulnerability is DOM-based, the attack may also be triggered without server-side persistence if the attacker can control DOM elements on the client [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, cookie theft, defacement, or redirection to malicious sites. The attack compromises the confidentiality (e.g., session tokens) and integrity (e.g., page content) of the affected SolarWinds instance [1].

Mitigation

The vulnerability is fixed in SolarWinds Platform version 2022.3.0 [1]. Users should upgrade to this version or later as soon as possible. No workarounds or mitigations have been disclosed for versions prior to the fix [1].