Orion Platform
by SolarWinds
CVEs (28)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-35212 | 0.00 | — | 0.02 | Aug 31, 2021 | An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user. | |||
| CVE-2021-35213 | 0.00 | — | 0.01 | Aug 31, 2021 | An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerability. Authentication is required to exploit the… | |||
| CVE-2021-35240 | 0.00 | — | 0.00 | Aug 31, 2021 | A security researcher stored XSS via a Help Server setting. This affects customers using Internet Explorer, because they do not support 'rel=noopener'. | |||
| CVE-2021-35239 | 0.00 | — | 0.01 | Aug 31, 2021 | A security researcher found a user with Orion map manage rights could store XSS through via text box hyperlink. | |||
| CVE-2021-35222 | 0.00 | — | 0.01 | Aug 31, 2021 | This vulnerability allows attackers to impersonate users and perform arbitrary actions leading to a Remote Code Execution (RCE) from the Alerts Settings page. | |||
| CVE-2021-35221 | 0.00 | — | 0.00 | Aug 31, 2021 | Improper Access Control Tampering Vulnerability using ImportAlert function which can lead to a Remote Code Execution (RCE) from the Alerts Settings page. | |||
| CVE-2021-35220 | 0.00 | — | 0.01 | Aug 31, 2021 | Command Injection vulnerability in EmailWebPage API which can lead to a Remote Code Execution (RCE) from the Alerts Settings page. | |||
| CVE-2021-35219 | 0.00 | — | 0.00 | Aug 31, 2021 | ExportToPdfCmd Arbitrary File Read Information Disclosure Vulnerability using ImportAlert function within the Alerts Settings page. |
- CVE-2021-35212Aug 31, 2021risk 0.00cvss —epss 0.02
An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user.
- CVE-2021-35213Aug 31, 2021risk 0.00cvss —epss 0.01
An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerability. Authentication is required to exploit the…
- CVE-2021-35240Aug 31, 2021risk 0.00cvss —epss 0.00
A security researcher stored XSS via a Help Server setting. This affects customers using Internet Explorer, because they do not support 'rel=noopener'.
- CVE-2021-35239Aug 31, 2021risk 0.00cvss —epss 0.01
A security researcher found a user with Orion map manage rights could store XSS through via text box hyperlink.
- CVE-2021-35222Aug 31, 2021risk 0.00cvss —epss 0.01
This vulnerability allows attackers to impersonate users and perform arbitrary actions leading to a Remote Code Execution (RCE) from the Alerts Settings page.
- CVE-2021-35221Aug 31, 2021risk 0.00cvss —epss 0.00
Improper Access Control Tampering Vulnerability using ImportAlert function which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.
- CVE-2021-35220Aug 31, 2021risk 0.00cvss —epss 0.01
Command Injection vulnerability in EmailWebPage API which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.
- CVE-2021-35219Aug 31, 2021risk 0.00cvss —epss 0.00
ExportToPdfCmd Arbitrary File Read Information Disclosure Vulnerability using ImportAlert function within the Alerts Settings page.
Page 2 of 2