VYPR

Orion Platform

by SolarWinds

CVEs (41)

  • CVE-2021-35239HigAug 31, 2021
    risk 0.49cvss 7.5epss 0.01

    A security researcher found a user with Orion map manage rights could store XSS through via text box hyperlink.

  • CVE-2022-36962HigNov 29, 2022
    risk 0.48cvss 7.2epss 0.09

    SolarWinds Platform was susceptible to Command Injection. This vulnerability allows a remote adversary with complete control over the SolarWinds database to execute arbitrary commands.

  • CVE-2022-36957HigOct 20, 2022
    risk 0.48cvss 7.2epss 0.12

    SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

  • CVE-2021-35244MedDec 20, 2021
    risk 0.45cvss 6.8epss 0.06

    The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote…

  • CVE-2020-27870MedFeb 10, 2021
    risk 0.43cvss 6.5epss 0.04

    This vulnerability allows remote attackers to disclose sensitive information on affected installations of SolarWinds Orion Platform 2020.2.1. Authentication is required to exploit this vulnerability. The specific flaw exists within ExportToPDF.aspx. The issue results from the…

  • CVE-2021-35240MedAug 31, 2021
    risk 0.42cvss 6.5epss 0.01

    A security researcher stored XSS via a Help Server setting. This affects customers using Internet Explorer, because they do not support 'rel=noopener'.

  • CVE-2021-35221MedAug 31, 2021
    risk 0.41cvss 6.3epss 0.02

    Improper Access Control Tampering Vulnerability using ImportAlert function which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.

  • CVE-2022-36965MedSep 30, 2022
    risk 0.40cvss 6.1epss 0.01

    Insufficient sanitization of inputs in QoE application input field could lead to stored and Dom based XSS attack. This issue is fixed and released in SolarWinds Platform (2022.3.0).

  • CVE-2019-17127MedJan 17, 2020
    risk 0.40cvss 6.1epss 0.02

    A Stored Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many application forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS. This can lead to privilege…

  • CVE-2019-17125MedJan 17, 2020
    risk 0.40cvss 6.1epss 0.02

    A Reflected Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS.

  • CVE-2021-35219MedAug 31, 2021
    risk 0.39cvss 6.0epss 0.01

    ExportToPdfCmd Arbitrary File Read Information Disclosure Vulnerability using ImportAlert function within the Alerts Settings page.

  • CVE-2019-12864MedMay 4, 2020
    risk 0.36cvss 5.5epss 0.00

    SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) is vulnerable to Information Leakage, because of improper error handling with stack traces, as demonstrated by discovering a full pathname upon a 500 Internal Server Error via the…

  • CVE-2021-28674MedJul 30, 2021
    risk 0.35cvss 5.4epss 0.01

    The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions. This occurs because node IDs are predictable (with incrementing numbers) and the…

  • CVE-2019-12954MedFeb 17, 2020
    risk 0.35cvss 5.4epss 0.01

    SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, NetPath 1.1.3) allows XSS by authenticated users via a crafted onerror attribute of a VIDEO element in an action for an ALERT.

  • CVE-2021-35225MedOct 21, 2021
    risk 0.33cvss 5.0epss 0.01

    Each authenticated Orion Platform user in a MSP (Managed Service Provider) environment can view and browse all NetPath Services from all that MSP's customers. This can lead to any user having a limited insight into other customer's infrastructure and potential data…

  • CVE-2026-28301MedJun 9, 2026
    risk 0.31cvss 4.8epss 0.00

    A vulnerability in which an attacker can provide a crafted external URL that may redirect a user to an unintended website.

  • CVE-2021-35238MedSep 1, 2021
    risk 0.31cvss 4.8epss 0.01

    User with Orion Platform Admin Rights could store XSS through URL POST parameter in CreateExternalWebsite website.

  • CVE-2021-3109MedMar 26, 2021
    risk 0.31cvss 4.8epss 0.01

    The custom menu item options page in SolarWinds Orion Platform before 2020.2.5 allows Reverse Tabnabbing in the context of an administrator account.

  • CVE-2020-35856MedMar 26, 2021
    risk 0.31cvss 4.8epss 0.01

    SolarWinds Orion Platform before 2020.2.5 allows stored XSS attacks by an administrator on the Customize View page.

  • CVE-2019-12863MedFeb 25, 2020
    risk 0.31cvss 4.8epss 0.01

    SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) allows Stored HTML Injection by administrators via the Web Console Settings screen.