VYPR

Vendor CVEs

SolarWinds

All CVEs

266 total · sorted by risk
  • CVE-2022-47509Apr 21, 2023
    risk 0.00cvss epss 0.01

    The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.

  • CVE-2022-47505Apr 21, 2023
    risk 0.00cvss epss 0.00

    The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.

  • CVE-2022-36963Apr 21, 2023
    risk 0.00cvss epss 0.08

    The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.

  • CVE-2022-47508Feb 15, 2023
    risk 0.00cvss epss 0.01

    Customers who had configured their polling to occur via Kerberos did not expect NTLM Traffic on their environment, but since we were querying for data via IP address this prevented us from utilizing Kerberos.

  • CVE-2022-47506Feb 15, 2023
    risk 0.00cvss epss 0.01

    SolarWinds Platform was susceptible to the Directory Traversal Vulnerability. This vulnerability allows a local adversary with authenticated account access to edit the default configuration, enabling the execution of arbitrary commands.

  • CVE-2022-38110Jan 20, 2023
    risk 0.00cvss epss 0.00

    In Database Performance Analyzer (DPA) 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting.

  • CVE-2022-38112Jan 20, 2023
    risk 0.00cvss epss 0.00

    In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext.

  • CVE-2022-47512Dec 21, 2022
    risk 0.00cvss epss 0.00

    Sensitive information was stored in plain text in a file that is accessible by a user with a local account in Hybrid Cloud Observability (HCO)/ SolarWinds Platform 2022.4. No other versions are affected

  • CVE-2021-35252Dec 16, 2022
    risk 0.00cvss epss 0.01

    Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext.

  • CVE-2022-38106Dec 16, 2022
    risk 0.00cvss epss 0.01

    This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function.

  • CVE-2022-36964Nov 29, 2022
    risk 0.00cvss epss 0.17

    SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.

  • CVE-2022-36962Nov 29, 2022
    risk 0.00cvss epss 0.09

    SolarWinds Platform was susceptible to Command Injection. This vulnerability allows a remote adversary with complete control over the SolarWinds database to execute arbitrary commands.

  • CVE-2022-36960Nov 29, 2022
    risk 0.00cvss epss 0.01

    SolarWinds Platform was susceptible to Improper Input Validation. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to escalate user privileges.

  • CVE-2022-36957Oct 20, 2022
    risk 0.00cvss epss 0.12

    SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

  • CVE-2022-36966Oct 20, 2022
    risk 0.00cvss epss 0.00

    Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous.

  • CVE-2022-38107Oct 19, 2022
    risk 0.00cvss epss 0.01

    Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details.

  • CVE-2021-35226Oct 10, 2022
    risk 0.00cvss epss 0.00

    An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role.

  • CVE-2022-36965Sep 30, 2022
    risk 0.00cvss epss 0.01

    Insufficient sanitization of inputs in QoE application input field could lead to stored and Dom based XSS attack. This issue is fixed and released in SolarWinds Platform (2022.3.0).

  • CVE-2021-35249May 17, 2022
    risk 0.00cvss epss 0.01

    This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a…

  • CVE-2021-35229Apr 21, 2022
    risk 0.00cvss epss 0.03

    Cross-site scripting vulnerability is present in Database Performance Monitor 2022.1.7779 and previous versions when using a complex SQL query

  • CVE-2022-27836Apr 11, 2022
    risk 0.00cvss epss 0.00

    Improper access control and path traversal vulnerability in Storage Manager and Storage Manager Service prior to SMR Apr-2022 Release 1 allow local attackers to access arbitrary system files without a proper permission. The patch adds proper validation logic to prevent arbitrary…

  • CVE-2021-35254Mar 25, 2022
    risk 0.00cvss epss 0.01

    SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk. SolarWinds has removed this input field to prevent the misuse of this input in the future.

  • CVE-2021-35234Dec 20, 2021
    risk 0.00cvss epss 0.03

    Numerous exposed dangerous functions within Orion Core has allows for read-only SQL injection leading to privileged escalation. An attacker with low-user privileges may steal password hashes and password salt information.

  • CVE-2021-35248Dec 20, 2021
    risk 0.00cvss epss 0.01

    It has been reported that any Orion user, e.g. guest accounts can query the Orion.UserSettings entity and enumerate users and their basic settings.

  • CVE-2021-35242Dec 6, 2021
    risk 0.00cvss epss 0.01

    Serv-U server responds with valid CSRFToken when the request contains only Session.

  • CVE-2021-35245Dec 6, 2021
    risk 0.00cvss epss 0.01

    When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host machine.

  • CVE-2021-35237Oct 29, 2021
    risk 0.00cvss epss 0.01

    A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or…

  • CVE-2021-35236Oct 27, 2021
    risk 0.00cvss epss 0.01

    The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed…

  • CVE-2021-35235Oct 27, 2021
    risk 0.00cvss epss 0.01

    The ASP.NET debug feature is enabled by default in Kiwi Syslog Server 9.7.2 and previous versions. ASP.NET allows remote debugging of web applications, if configured to do so. Debug mode causes ASP.NET to compile applications with extra information. The information enables a…

  • CVE-2021-35233Oct 27, 2021
    risk 0.00cvss epss 0.01

    The HTTP TRACK & TRACE methods were enabled in Kiwi Syslog Server 9.7.1 and earlier. These methods are intended for diagnostic purposes only. If enabled, the web server will respond to requests that use these methods by returning exact HTTP request that was received in the…

  • CVE-2021-35231Oct 25, 2021
    risk 0.00cvss epss 0.00

    As a result of an unquoted service path vulnerability present in the Kiwi Syslog Server Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry. Example vulnerable path:…

  • CVE-2021-35228Oct 21, 2021
    risk 0.00cvss epss 0.01

    This vulnerability occurred due to missing input sanitization for one of the output fields that is extracted from headers on specific section of page causing a reflective cross site scripting attack. An attacker would need to perform a Man in the Middle attack in order to change…

  • CVE-2021-35227Oct 21, 2021
    risk 0.00cvss epss 0.00

    The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available.

  • CVE-2021-35225Oct 21, 2021
    risk 0.00cvss epss 0.01

    Each authenticated Orion Platform user in a MSP (Managed Service Provider) environment can view and browse all NetPath Services from all that MSP's customers. This can lead to any user having a limited insight into other customer's infrastructure and potential data…

  • CVE-2021-35214Oct 12, 2021
    risk 0.00cvss epss 0.02

    The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without…

  • CVE-2021-35238Sep 1, 2021
    risk 0.00cvss epss 0.01

    User with Orion Platform Admin Rights could store XSS through URL POST parameter in CreateExternalWebsite website.

  • CVE-2021-35212Aug 31, 2021
    risk 0.00cvss epss 0.02

    An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user.

  • CVE-2021-35213Aug 31, 2021
    risk 0.00cvss epss 0.03

    An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerability. Authentication is required to exploit the…

  • CVE-2021-35240Aug 31, 2021
    risk 0.00cvss epss 0.01

    A security researcher stored XSS via a Help Server setting. This affects customers using Internet Explorer, because they do not support 'rel=noopener'.

  • CVE-2021-35239Aug 31, 2021
    risk 0.00cvss epss 0.01

    A security researcher found a user with Orion map manage rights could store XSS through via text box hyperlink.

  • CVE-2021-35222Aug 31, 2021
    risk 0.00cvss epss 0.03

    This vulnerability allows attackers to impersonate users and perform arbitrary actions leading to a Remote Code Execution (RCE) from the Alerts Settings page.

  • CVE-2021-35221Aug 31, 2021
    risk 0.00cvss epss 0.02

    Improper Access Control Tampering Vulnerability using ImportAlert function which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.

  • CVE-2021-35220Aug 31, 2021
    risk 0.00cvss epss 0.02

    Command Injection vulnerability in EmailWebPage API which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.

  • CVE-2021-35219Aug 31, 2021
    risk 0.00cvss epss 0.01

    ExportToPdfCmd Arbitrary File Read Information Disclosure Vulnerability using ImportAlert function within the Alerts Settings page.

  • CVE-2021-28674Jul 27, 2021
    risk 0.00cvss epss 0.01

    The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions. This occurs because node IDs are predictable (with incrementing numbers) and the…

  • CVE-2021-31217Jul 13, 2021
    risk 0.00cvss epss 0.04

    In SolarWinds DameWare Mini Remote Control Server 12.0.1.200, insecure file permissions allow file deletion as SYSTEM.

  • CVE-2021-32522Jul 7, 2021
    risk 0.00cvss epss 0.01

    Improper restriction of excessive authentication attempts vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to discover users’ credentials and obtain access via a brute force attack. Suggest contacting with QSAN and refer to recommendations in QSAN…

  • CVE-2021-32604May 11, 2021
    risk 0.00cvss epss 0.02

    Share/IncomingWizard.htm in SolarWinds Serv-U before 15.2.3 mishandles the user-supplied SenderEmail parameter, aka "Share URL XSS."

  • CVE-2020-22428May 5, 2021
    risk 0.00cvss epss 0.01

    SolarWinds Serv-U before 15.1.6 Hotfix 3 is affected by Cross Site Scripting (XSS) via a directory name (entered by an admin) containing a JavaScript payload.

  • CVE-2021-25179May 5, 2021
    risk 0.00cvss epss 0.01

    SolarWinds Serv-U before 15.2 is affected by Cross Site Scripting (XSS) via the HTTP Host header.

Page 4 of 6