VYPR

Orion Platform

by SolarWinds

CVEs (41)

  • CVE-2020-10148CriKEVDec 29, 2020
    risk 0.83cvss 9.8epss 0.92

    The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds…

  • CVE-2021-25274CriFeb 3, 2021
    risk 0.67cvss 9.8epss 0.36

    The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process.…

  • CVE-2022-36958HigOct 20, 2022
    risk 0.64cvss 8.8epss 0.83

    SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.

  • CVE-2021-35217HigSep 8, 2021
    risk 0.64cvss 8.9epss 0.74

    Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted…

  • CVE-2021-27258CriApr 14, 2021
    risk 0.64cvss 9.8epss 0.04

    This vulnerability allows remote attackers to execute escalate privileges on affected installations of SolarWinds Orion Platform 2020.2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SaveUserSetting endpoint. The issue results…

  • CVE-2019-9546CriMar 1, 2019
    risk 0.64cvss 9.8epss 0.03

    SolarWinds Orion Platform before 2018.4 Hotfix 2 allows privilege escalation through the RabbitMQ service.

  • CVE-2022-36961HigSep 30, 2022
    risk 0.63cvss 8.8epss 0.75

    A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.

  • CVE-2021-35215HigSep 1, 2021
    risk 0.63cvss 8.9epss 0.70

    Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability.

  • CVE-2022-36964HigNov 29, 2022
    risk 0.59cvss 8.8epss 0.17

    SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.

  • CVE-2020-13169CriSep 17, 2020
    risk 0.59cvss 9.0epss 0.02

    Stored XSS (Cross-Site Scripting) exists in the SolarWinds Orion Platform before before 2020.2.1 on multiple forms and pages. This vulnerability may lead to the Information Disclosure and Escalation of Privileges (takeover of administrator account).

  • CVE-2021-35212HigAug 31, 2021
    risk 0.58cvss 8.9epss 0.02

    An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user.

  • CVE-2021-35213HigAug 31, 2021
    risk 0.58cvss 8.9epss 0.03

    An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerability. Authentication is required to exploit the…

  • CVE-2020-14005HigJun 24, 2020
    risk 0.58cvss 8.8epss 0.14

    Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows remote attackers to execute arbitrary code via a defined event.

  • CVE-2023-40061HigNov 1, 2023
    risk 0.57cvss 8.8epss 0.00

     Insecure job execution mechanism vulnerability. This vulnerability can lead to other attacks as a result.

  • CVE-2022-36960HigNov 29, 2022
    risk 0.57cvss 8.8epss 0.01

    SolarWinds Platform was susceptible to Improper Input Validation. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to escalate user privileges.

  • CVE-2022-38108HigOct 20, 2022
    risk 0.55cvss 7.2epss 0.70

    SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

  • CVE-2020-27871HigFeb 10, 2021
    risk 0.54cvss 7.2epss 0.90

    This vulnerability allows remote attackers to create arbitrary files on affected installations of SolarWinds Orion Platform 2020.2.1. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw…

  • CVE-2021-35220HigAug 31, 2021
    risk 0.53cvss 8.1epss 0.02

    Command Injection vulnerability in EmailWebPage API which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.

  • CVE-2021-35222HigAug 31, 2021
    risk 0.52cvss 8.0epss 0.03

    This vulnerability allows attackers to impersonate users and perform arbitrary actions leading to a Remote Code Execution (RCE) from the Alerts Settings page.

  • CVE-2021-25275HigFeb 3, 2021
    risk 0.51cvss 7.8epss 0.01

    SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL Server backend, and stores database credentials to access this backend in a file readable by unprivileged users. As a result, any user having access to the filesystem can…

Page 1 of 3