Orion Platform

CVEs (28)

CVE	Vendor / Product	Risk	CVSS	EPSS	KEV	Published	Description
CVE-2020-10148	SolarWinds Orion Platform	0.20	—	0.94	KEV	Dec 29, 2020	The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds…
CVE-2022-38108	SolarWinds Solarwinds Platform	0.10	—	0.89		Oct 20, 2022	SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
CVE-2014-9566	SolarWinds Orion Network Performance Monitor	0.09	—	0.78		Mar 10, 2015	Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager…
CVE-2021-35215	SolarWinds Orion Platform	0.07	—	0.83		Sep 1, 2021	Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability.
CVE-2020-27871	SolarWinds Orion Platform	0.07	—	0.87		Feb 10, 2021	This vulnerability allows remote attackers to create arbitrary files on affected installations of SolarWinds Orion Platform 2020.2.1. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw…
CVE-2021-35217	SolarWinds Orion Platform	0.05	—	0.60		Sep 8, 2021	Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted…
CVE-2021-35244	SolarWinds Orion Platform	0.02	—	0.24		Dec 20, 2021	The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote…
CVE-2022-47507	SolarWinds Solarwinds Platform	0.01	—	0.11		Feb 15, 2023	SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
CVE-2022-47503	SolarWinds Solarwinds Platform	0.01	—	0.11		Feb 15, 2023	SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
CVE-2022-36958	SolarWinds Solarwinds Platform	0.01	—	0.15		Oct 20, 2022	SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.
CVE-2022-36961	SolarWinds Orion Platform	0.01	—	0.12		Sep 30, 2022	A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.
CVE-2021-27258	SolarWinds Orion Platform	0.01	—	0.09		Apr 14, 2021	This vulnerability allows remote attackers to execute escalate privileges on affected installations of SolarWinds Orion Platform 2020.2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SaveUserSetting endpoint. The issue results…
CVE-2020-27870	SolarWinds Orion Platform	0.01	—	0.09		Feb 10, 2021	This vulnerability allows remote attackers to disclose sensitive information on affected installations of SolarWinds Orion Platform 2020.2.1. Authentication is required to exploit this vulnerability. The specific flaw exists within ExportToPDF.aspx. The issue results from the…
CVE-2023-23839	SolarWinds Solarwinds Platform	0.00	—	0.02		Apr 25, 2023	The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.
CVE-2022-36964	SolarWinds Solarwinds Platform	0.00	—	0.03		Nov 29, 2022	SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.
CVE-2022-36962	SolarWinds Solarwinds Platform	0.00	—	0.02		Nov 29, 2022	SolarWinds Platform was susceptible to Command Injection. This vulnerability allows a remote adversary with complete control over the SolarWinds database to execute arbitrary commands.
CVE-2022-36960	SolarWinds Solarwinds Platform	0.00	—	0.00		Nov 29, 2022	SolarWinds Platform was susceptible to Improper Input Validation. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to escalate user privileges.
CVE-2022-36957	SolarWinds Solarwinds Platform	0.00	—	0.02		Oct 20, 2022	SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
CVE-2022-36965	SolarWinds Solarwinds Platform	0.00	—	0.03		Sep 30, 2022	Insufficient sanitization of inputs in QoE application input field could lead to stored and Dom based XSS attack. This issue is fixed and released in SolarWinds Platform (2022.3.0).
CVE-2021-35238	SolarWinds Orion Platform	0.00	—	0.01		Sep 1, 2021	User with Orion Platform Admin Rights could store XSS through URL POST parameter in CreateExternalWebsite website.

CVE-2020-10148KEVDec 29, 2020
SolarWinds
Orion Platform
risk 0.20cvss —epss 0.94
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds…
CVE-2022-38108Oct 20, 2022
SolarWinds
Solarwinds Platform
risk 0.10cvss —epss 0.89
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
CVE-2014-9566Mar 10, 2015
SolarWinds
Orion Network Performance Monitor
risk 0.09cvss —epss 0.78
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager…
CVE-2021-35215Sep 1, 2021
SolarWinds
Orion Platform
risk 0.07cvss —epss 0.83
Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability.
CVE-2020-27871Feb 10, 2021
SolarWinds
Orion Platform
risk 0.07cvss —epss 0.87
This vulnerability allows remote attackers to create arbitrary files on affected installations of SolarWinds Orion Platform 2020.2.1. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw…
CVE-2021-35217Sep 8, 2021
SolarWinds
Orion Platform
risk 0.05cvss —epss 0.60
Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted…
CVE-2021-35244Dec 20, 2021
SolarWinds
Orion Platform
risk 0.02cvss —epss 0.24
The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote…
CVE-2022-47507Feb 15, 2023
SolarWinds
Solarwinds Platform
risk 0.01cvss —epss 0.11
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
CVE-2022-47503Feb 15, 2023
SolarWinds
Solarwinds Platform
risk 0.01cvss —epss 0.11
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
CVE-2022-36958Oct 20, 2022
SolarWinds
Solarwinds Platform
risk 0.01cvss —epss 0.15
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.
CVE-2022-36961Sep 30, 2022
SolarWinds
Orion Platform
risk 0.01cvss —epss 0.12
A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.
CVE-2021-27258Apr 14, 2021
SolarWinds
Orion Platform
risk 0.01cvss —epss 0.09
This vulnerability allows remote attackers to execute escalate privileges on affected installations of SolarWinds Orion Platform 2020.2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SaveUserSetting endpoint. The issue results…
CVE-2020-27870Feb 10, 2021
SolarWinds
Orion Platform
risk 0.01cvss —epss 0.09
This vulnerability allows remote attackers to disclose sensitive information on affected installations of SolarWinds Orion Platform 2020.2.1. Authentication is required to exploit this vulnerability. The specific flaw exists within ExportToPDF.aspx. The issue results from the…
CVE-2023-23839Apr 25, 2023
SolarWinds
Solarwinds Platform
risk 0.00cvss —epss 0.02
The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.
CVE-2022-36964Nov 29, 2022
SolarWinds
Solarwinds Platform
risk 0.00cvss —epss 0.03
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.
CVE-2022-36962Nov 29, 2022
SolarWinds
Solarwinds Platform
risk 0.00cvss —epss 0.02
SolarWinds Platform was susceptible to Command Injection. This vulnerability allows a remote adversary with complete control over the SolarWinds database to execute arbitrary commands.
CVE-2022-36960Nov 29, 2022
SolarWinds
Solarwinds Platform
risk 0.00cvss —epss 0.00
SolarWinds Platform was susceptible to Improper Input Validation. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to escalate user privileges.
CVE-2022-36957Oct 20, 2022
SolarWinds
Solarwinds Platform
risk 0.00cvss —epss 0.02
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
CVE-2022-36965Sep 30, 2022
SolarWinds
Solarwinds Platform
risk 0.00cvss —epss 0.03
Insufficient sanitization of inputs in QoE application input field could lead to stored and Dom based XSS attack. This issue is fixed and released in SolarWinds Platform (2022.3.0).
CVE-2021-35238Sep 1, 2021
SolarWinds
Orion Platform
risk 0.00cvss —epss 0.01
User with Orion Platform Admin Rights could store XSS through URL POST parameter in CreateExternalWebsite website.

Page 1 of 2