Web Help Desk
by SolarWinds
CVEs (14)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-35232 | Med | 0.44 | 6.8 | 0.00 | Dec 27, 2021 | Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password… | ||
| CVE-2019-16959 | Med | 0.42 | 6.5 | 0.02 | Dec 21, 2020 | SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket. | ||
| CVE-2021-35251 | Med | 0.35 | 5.3 | 0.01 | Mar 10, 2022 | Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details about the Web Help Desk installation. | ||
| CVE-2021-35243 | Med | 0.35 | 5.3 | 0.01 | Dec 23, 2021 | The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method… | ||
| CVE-2021-32076 | Med | 0.35 | 5.3 | 0.01 | Aug 26, 2021 | Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the 'Web Help Desk Getting Started Wizard', especially the admin account creation page, from a non-privileged IP address network range or loopback address by… | ||
| CVE-2019-16961 | Med | 0.35 | 5.4 | 0.01 | Jan 15, 2021 | SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name. | ||
| CVE-2019-16954 | Med | 0.35 | 5.4 | 0.01 | Jan 6, 2021 | SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in a Help Request ticket. | ||
| CVE-2019-16960 | Med | 0.35 | 5.4 | 0.01 | Jan 4, 2021 | SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field. | ||
| CVE-2019-16956 | Med | 0.35 | 5.4 | 0.02 | Jan 4, 2021 | SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket. | ||
| CVE-2019-16957 | Med | 0.35 | 5.4 | 0.01 | Dec 18, 2020 | SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account. | ||
| CVE-2019-16955 | Med | 0.35 | 5.4 | 0.02 | Dec 18, 2020 | SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request. | ||
| CVE-2019-16958 | Med | 0.35 | 5.4 | 0.01 | Dec 1, 2020 | Cross-site Scripting (XSS) vulnerability in SolarWinds Web Help Desk 12.7.0 allows attacker to inject arbitrary web script or HTML via Location Name. | ||
| CVE-2025-26400 | Med | 0.34 | 5.3 | 0.00 | Jul 29, 2025 | SolarWinds Web Help Desk was reported to be affected by an XML External Entity Injection (XXE) vulnerability that could lead to information disclosure. A valid, low-privilege access is required unless the attacker had access to the local server to modify configuration files. | ||
| CVE-2024-45709 | Med | 0.34 | 5.3 | 0.00 | Dec 10, 2024 | SolarWinds Web Help Desk was susceptible to a local file read vulnerability. This vulnerability requires the software be installed on Linux and configured to use non-default development/test mode making exposure to the vulnerability very limited. |
- risk 0.44cvss 6.8epss 0.00
Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password…
- risk 0.42cvss 6.5epss 0.02
SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket.
- risk 0.35cvss 5.3epss 0.01
Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details about the Web Help Desk installation.
- risk 0.35cvss 5.3epss 0.01
The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method…
- risk 0.35cvss 5.3epss 0.01
Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the 'Web Help Desk Getting Started Wizard', especially the admin account creation page, from a non-privileged IP address network range or loopback address by…
- risk 0.35cvss 5.4epss 0.01
SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name.
- risk 0.35cvss 5.4epss 0.01
SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in a Help Request ticket.
- risk 0.35cvss 5.4epss 0.01
SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field.
- risk 0.35cvss 5.4epss 0.02
SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket.
- risk 0.35cvss 5.4epss 0.01
SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account.
- risk 0.35cvss 5.4epss 0.02
SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request.
- risk 0.35cvss 5.4epss 0.01
Cross-site Scripting (XSS) vulnerability in SolarWinds Web Help Desk 12.7.0 allows attacker to inject arbitrary web script or HTML via Location Name.
- risk 0.34cvss 5.3epss 0.00
SolarWinds Web Help Desk was reported to be affected by an XML External Entity Injection (XXE) vulnerability that could lead to information disclosure. A valid, low-privilege access is required unless the attacker had access to the local server to modify configuration files.
- risk 0.34cvss 5.3epss 0.00
SolarWinds Web Help Desk was susceptible to a local file read vulnerability. This vulnerability requires the software be installed on Linux and configured to use non-default development/test mode making exposure to the vulnerability very limited.