Vendor CVEs
SolarWinds
All CVEs
266 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-47509 | 0.00 | — | 0.01 | Apr 21, 2023 | The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML. | |||
| CVE-2022-47505 | 0.00 | — | 0.00 | Apr 21, 2023 | The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges. | |||
| CVE-2022-36963 | 0.00 | — | 0.08 | Apr 21, 2023 | The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands. | |||
| CVE-2022-47508 | 0.00 | — | 0.01 | Feb 15, 2023 | Customers who had configured their polling to occur via Kerberos did not expect NTLM Traffic on their environment, but since we were querying for data via IP address this prevented us from utilizing Kerberos. | |||
| CVE-2022-47506 | 0.00 | — | 0.01 | Feb 15, 2023 | SolarWinds Platform was susceptible to the Directory Traversal Vulnerability. This vulnerability allows a local adversary with authenticated account access to edit the default configuration, enabling the execution of arbitrary commands. | |||
| CVE-2022-38110 | 0.00 | — | 0.00 | Jan 20, 2023 | In Database Performance Analyzer (DPA) 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting. | |||
| CVE-2022-38112 | 0.00 | — | 0.00 | Jan 20, 2023 | In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext. | |||
| CVE-2022-47512 | 0.00 | — | 0.00 | Dec 21, 2022 | Sensitive information was stored in plain text in a file that is accessible by a user with a local account in Hybrid Cloud Observability (HCO)/ SolarWinds Platform 2022.4. No other versions are affected | |||
| CVE-2021-35252 | 0.00 | — | 0.01 | Dec 16, 2022 | Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext. | |||
| CVE-2022-38106 | 0.00 | — | 0.01 | Dec 16, 2022 | This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function. | |||
| CVE-2022-36964 | 0.00 | — | 0.17 | Nov 29, 2022 | SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands. | |||
| CVE-2022-36962 | 0.00 | — | 0.09 | Nov 29, 2022 | SolarWinds Platform was susceptible to Command Injection. This vulnerability allows a remote adversary with complete control over the SolarWinds database to execute arbitrary commands. | |||
| CVE-2022-36960 | 0.00 | — | 0.01 | Nov 29, 2022 | SolarWinds Platform was susceptible to Improper Input Validation. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to escalate user privileges. | |||
| CVE-2022-36957 | 0.00 | — | 0.12 | Oct 20, 2022 | SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | |||
| CVE-2022-36966 | 0.00 | — | 0.00 | Oct 20, 2022 | Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous. | |||
| CVE-2022-38107 | 0.00 | — | 0.01 | Oct 19, 2022 | Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details. | |||
| CVE-2021-35226 | 0.00 | — | 0.00 | Oct 10, 2022 | An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role. | |||
| CVE-2022-36965 | 0.00 | — | 0.01 | Sep 30, 2022 | Insufficient sanitization of inputs in QoE application input field could lead to stored and Dom based XSS attack. This issue is fixed and released in SolarWinds Platform (2022.3.0). | |||
| CVE-2021-35249 | 0.00 | — | 0.01 | May 17, 2022 | This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a… | |||
| CVE-2021-35229 | 0.00 | — | 0.03 | Apr 21, 2022 | Cross-site scripting vulnerability is present in Database Performance Monitor 2022.1.7779 and previous versions when using a complex SQL query | |||
| CVE-2022-27836 | 0.00 | — | 0.00 | Apr 11, 2022 | Improper access control and path traversal vulnerability in Storage Manager and Storage Manager Service prior to SMR Apr-2022 Release 1 allow local attackers to access arbitrary system files without a proper permission. The patch adds proper validation logic to prevent arbitrary… | |||
| CVE-2021-35254 | 0.00 | — | 0.01 | Mar 25, 2022 | SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk. SolarWinds has removed this input field to prevent the misuse of this input in the future. | |||
| CVE-2021-35234 | 0.00 | — | 0.03 | Dec 20, 2021 | Numerous exposed dangerous functions within Orion Core has allows for read-only SQL injection leading to privileged escalation. An attacker with low-user privileges may steal password hashes and password salt information. | |||
| CVE-2021-35248 | 0.00 | — | 0.01 | Dec 20, 2021 | It has been reported that any Orion user, e.g. guest accounts can query the Orion.UserSettings entity and enumerate users and their basic settings. | |||
| CVE-2021-35242 | 0.00 | — | 0.01 | Dec 6, 2021 | Serv-U server responds with valid CSRFToken when the request contains only Session. | |||
| CVE-2021-35245 | 0.00 | — | 0.01 | Dec 6, 2021 | When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host machine. | |||
| CVE-2021-35237 | 0.00 | — | 0.01 | Oct 29, 2021 | A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or… | |||
| CVE-2021-35236 | 0.00 | — | 0.01 | Oct 27, 2021 | The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed… | |||
| CVE-2021-35235 | 0.00 | — | 0.01 | Oct 27, 2021 | The ASP.NET debug feature is enabled by default in Kiwi Syslog Server 9.7.2 and previous versions. ASP.NET allows remote debugging of web applications, if configured to do so. Debug mode causes ASP.NET to compile applications with extra information. The information enables a… | |||
| CVE-2021-35233 | 0.00 | — | 0.01 | Oct 27, 2021 | The HTTP TRACK & TRACE methods were enabled in Kiwi Syslog Server 9.7.1 and earlier. These methods are intended for diagnostic purposes only. If enabled, the web server will respond to requests that use these methods by returning exact HTTP request that was received in the… | |||
| CVE-2021-35231 | 0.00 | — | 0.00 | Oct 25, 2021 | As a result of an unquoted service path vulnerability present in the Kiwi Syslog Server Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry. Example vulnerable path:… | |||
| CVE-2021-35228 | 0.00 | — | 0.01 | Oct 21, 2021 | This vulnerability occurred due to missing input sanitization for one of the output fields that is extracted from headers on specific section of page causing a reflective cross site scripting attack. An attacker would need to perform a Man in the Middle attack in order to change… | |||
| CVE-2021-35227 | 0.00 | — | 0.00 | Oct 21, 2021 | The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available. | |||
| CVE-2021-35225 | 0.00 | — | 0.01 | Oct 21, 2021 | Each authenticated Orion Platform user in a MSP (Managed Service Provider) environment can view and browse all NetPath Services from all that MSP's customers. This can lead to any user having a limited insight into other customer's infrastructure and potential data… | |||
| CVE-2021-35214 | 0.00 | — | 0.02 | Oct 12, 2021 | The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without… | |||
| CVE-2021-35238 | 0.00 | — | 0.01 | Sep 1, 2021 | User with Orion Platform Admin Rights could store XSS through URL POST parameter in CreateExternalWebsite website. | |||
| CVE-2021-35212 | 0.00 | — | 0.02 | Aug 31, 2021 | An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user. | |||
| CVE-2021-35213 | 0.00 | — | 0.03 | Aug 31, 2021 | An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerability. Authentication is required to exploit the… | |||
| CVE-2021-35240 | 0.00 | — | 0.01 | Aug 31, 2021 | A security researcher stored XSS via a Help Server setting. This affects customers using Internet Explorer, because they do not support 'rel=noopener'. | |||
| CVE-2021-35239 | 0.00 | — | 0.01 | Aug 31, 2021 | A security researcher found a user with Orion map manage rights could store XSS through via text box hyperlink. | |||
| CVE-2021-35222 | 0.00 | — | 0.03 | Aug 31, 2021 | This vulnerability allows attackers to impersonate users and perform arbitrary actions leading to a Remote Code Execution (RCE) from the Alerts Settings page. | |||
| CVE-2021-35221 | 0.00 | — | 0.02 | Aug 31, 2021 | Improper Access Control Tampering Vulnerability using ImportAlert function which can lead to a Remote Code Execution (RCE) from the Alerts Settings page. | |||
| CVE-2021-35220 | 0.00 | — | 0.02 | Aug 31, 2021 | Command Injection vulnerability in EmailWebPage API which can lead to a Remote Code Execution (RCE) from the Alerts Settings page. | |||
| CVE-2021-35219 | 0.00 | — | 0.01 | Aug 31, 2021 | ExportToPdfCmd Arbitrary File Read Information Disclosure Vulnerability using ImportAlert function within the Alerts Settings page. | |||
| CVE-2021-28674 | 0.00 | — | 0.01 | Jul 27, 2021 | The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions. This occurs because node IDs are predictable (with incrementing numbers) and the… | |||
| CVE-2021-31217 | 0.00 | — | 0.04 | Jul 13, 2021 | In SolarWinds DameWare Mini Remote Control Server 12.0.1.200, insecure file permissions allow file deletion as SYSTEM. | |||
| CVE-2021-32522 | 0.00 | — | 0.01 | Jul 7, 2021 | Improper restriction of excessive authentication attempts vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to discover users’ credentials and obtain access via a brute force attack. Suggest contacting with QSAN and refer to recommendations in QSAN… | |||
| CVE-2021-32604 | 0.00 | — | 0.02 | May 11, 2021 | Share/IncomingWizard.htm in SolarWinds Serv-U before 15.2.3 mishandles the user-supplied SenderEmail parameter, aka "Share URL XSS." | |||
| CVE-2020-22428 | 0.00 | — | 0.01 | May 5, 2021 | SolarWinds Serv-U before 15.1.6 Hotfix 3 is affected by Cross Site Scripting (XSS) via a directory name (entered by an admin) containing a JavaScript payload. | |||
| CVE-2021-25179 | 0.00 | — | 0.01 | May 5, 2021 | SolarWinds Serv-U before 15.2 is affected by Cross Site Scripting (XSS) via the HTTP Host header. |
- CVE-2022-47509Apr 21, 2023risk 0.00cvss —epss 0.01
The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.
- CVE-2022-47505Apr 21, 2023risk 0.00cvss —epss 0.00
The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.
- CVE-2022-36963Apr 21, 2023risk 0.00cvss —epss 0.08
The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.
- CVE-2022-47508Feb 15, 2023risk 0.00cvss —epss 0.01
Customers who had configured their polling to occur via Kerberos did not expect NTLM Traffic on their environment, but since we were querying for data via IP address this prevented us from utilizing Kerberos.
- CVE-2022-47506Feb 15, 2023risk 0.00cvss —epss 0.01
SolarWinds Platform was susceptible to the Directory Traversal Vulnerability. This vulnerability allows a local adversary with authenticated account access to edit the default configuration, enabling the execution of arbitrary commands.
- CVE-2022-38110Jan 20, 2023risk 0.00cvss —epss 0.00
In Database Performance Analyzer (DPA) 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting.
- CVE-2022-38112Jan 20, 2023risk 0.00cvss —epss 0.00
In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext.
- CVE-2022-47512Dec 21, 2022risk 0.00cvss —epss 0.00
Sensitive information was stored in plain text in a file that is accessible by a user with a local account in Hybrid Cloud Observability (HCO)/ SolarWinds Platform 2022.4. No other versions are affected
- CVE-2021-35252Dec 16, 2022risk 0.00cvss —epss 0.01
Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext.
- CVE-2022-38106Dec 16, 2022risk 0.00cvss —epss 0.01
This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function.
- CVE-2022-36964Nov 29, 2022risk 0.00cvss —epss 0.17
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.
- CVE-2022-36962Nov 29, 2022risk 0.00cvss —epss 0.09
SolarWinds Platform was susceptible to Command Injection. This vulnerability allows a remote adversary with complete control over the SolarWinds database to execute arbitrary commands.
- CVE-2022-36960Nov 29, 2022risk 0.00cvss —epss 0.01
SolarWinds Platform was susceptible to Improper Input Validation. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to escalate user privileges.
- CVE-2022-36957Oct 20, 2022risk 0.00cvss —epss 0.12
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
- CVE-2022-36966Oct 20, 2022risk 0.00cvss —epss 0.00
Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous.
- CVE-2022-38107Oct 19, 2022risk 0.00cvss —epss 0.01
Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details.
- CVE-2021-35226Oct 10, 2022risk 0.00cvss —epss 0.00
An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role.
- CVE-2022-36965Sep 30, 2022risk 0.00cvss —epss 0.01
Insufficient sanitization of inputs in QoE application input field could lead to stored and Dom based XSS attack. This issue is fixed and released in SolarWinds Platform (2022.3.0).
- CVE-2021-35249May 17, 2022risk 0.00cvss —epss 0.01
This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a…
- CVE-2021-35229Apr 21, 2022risk 0.00cvss —epss 0.03
Cross-site scripting vulnerability is present in Database Performance Monitor 2022.1.7779 and previous versions when using a complex SQL query
- CVE-2022-27836Apr 11, 2022risk 0.00cvss —epss 0.00
Improper access control and path traversal vulnerability in Storage Manager and Storage Manager Service prior to SMR Apr-2022 Release 1 allow local attackers to access arbitrary system files without a proper permission. The patch adds proper validation logic to prevent arbitrary…
- CVE-2021-35254Mar 25, 2022risk 0.00cvss —epss 0.01
SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk. SolarWinds has removed this input field to prevent the misuse of this input in the future.
- CVE-2021-35234Dec 20, 2021risk 0.00cvss —epss 0.03
Numerous exposed dangerous functions within Orion Core has allows for read-only SQL injection leading to privileged escalation. An attacker with low-user privileges may steal password hashes and password salt information.
- CVE-2021-35248Dec 20, 2021risk 0.00cvss —epss 0.01
It has been reported that any Orion user, e.g. guest accounts can query the Orion.UserSettings entity and enumerate users and their basic settings.
- CVE-2021-35242Dec 6, 2021risk 0.00cvss —epss 0.01
Serv-U server responds with valid CSRFToken when the request contains only Session.
- CVE-2021-35245Dec 6, 2021risk 0.00cvss —epss 0.01
When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host machine.
- CVE-2021-35237Oct 29, 2021risk 0.00cvss —epss 0.01
A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or…
- CVE-2021-35236Oct 27, 2021risk 0.00cvss —epss 0.01
The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed…
- CVE-2021-35235Oct 27, 2021risk 0.00cvss —epss 0.01
The ASP.NET debug feature is enabled by default in Kiwi Syslog Server 9.7.2 and previous versions. ASP.NET allows remote debugging of web applications, if configured to do so. Debug mode causes ASP.NET to compile applications with extra information. The information enables a…
- CVE-2021-35233Oct 27, 2021risk 0.00cvss —epss 0.01
The HTTP TRACK & TRACE methods were enabled in Kiwi Syslog Server 9.7.1 and earlier. These methods are intended for diagnostic purposes only. If enabled, the web server will respond to requests that use these methods by returning exact HTTP request that was received in the…
- CVE-2021-35231Oct 25, 2021risk 0.00cvss —epss 0.00
As a result of an unquoted service path vulnerability present in the Kiwi Syslog Server Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry. Example vulnerable path:…
- CVE-2021-35228Oct 21, 2021risk 0.00cvss —epss 0.01
This vulnerability occurred due to missing input sanitization for one of the output fields that is extracted from headers on specific section of page causing a reflective cross site scripting attack. An attacker would need to perform a Man in the Middle attack in order to change…
- CVE-2021-35227Oct 21, 2021risk 0.00cvss —epss 0.00
The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available.
- CVE-2021-35225Oct 21, 2021risk 0.00cvss —epss 0.01
Each authenticated Orion Platform user in a MSP (Managed Service Provider) environment can view and browse all NetPath Services from all that MSP's customers. This can lead to any user having a limited insight into other customer's infrastructure and potential data…
- CVE-2021-35214Oct 12, 2021risk 0.00cvss —epss 0.02
The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without…
- CVE-2021-35238Sep 1, 2021risk 0.00cvss —epss 0.01
User with Orion Platform Admin Rights could store XSS through URL POST parameter in CreateExternalWebsite website.
- CVE-2021-35212Aug 31, 2021risk 0.00cvss —epss 0.02
An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user.
- CVE-2021-35213Aug 31, 2021risk 0.00cvss —epss 0.03
An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerability. Authentication is required to exploit the…
- CVE-2021-35240Aug 31, 2021risk 0.00cvss —epss 0.01
A security researcher stored XSS via a Help Server setting. This affects customers using Internet Explorer, because they do not support 'rel=noopener'.
- CVE-2021-35239Aug 31, 2021risk 0.00cvss —epss 0.01
A security researcher found a user with Orion map manage rights could store XSS through via text box hyperlink.
- CVE-2021-35222Aug 31, 2021risk 0.00cvss —epss 0.03
This vulnerability allows attackers to impersonate users and perform arbitrary actions leading to a Remote Code Execution (RCE) from the Alerts Settings page.
- CVE-2021-35221Aug 31, 2021risk 0.00cvss —epss 0.02
Improper Access Control Tampering Vulnerability using ImportAlert function which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.
- CVE-2021-35220Aug 31, 2021risk 0.00cvss —epss 0.02
Command Injection vulnerability in EmailWebPage API which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.
- CVE-2021-35219Aug 31, 2021risk 0.00cvss —epss 0.01
ExportToPdfCmd Arbitrary File Read Information Disclosure Vulnerability using ImportAlert function within the Alerts Settings page.
- CVE-2021-28674Jul 27, 2021risk 0.00cvss —epss 0.01
The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions. This occurs because node IDs are predictable (with incrementing numbers) and the…
- CVE-2021-31217Jul 13, 2021risk 0.00cvss —epss 0.04
In SolarWinds DameWare Mini Remote Control Server 12.0.1.200, insecure file permissions allow file deletion as SYSTEM.
- CVE-2021-32522Jul 7, 2021risk 0.00cvss —epss 0.01
Improper restriction of excessive authentication attempts vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to discover users’ credentials and obtain access via a brute force attack. Suggest contacting with QSAN and refer to recommendations in QSAN…
- CVE-2021-32604May 11, 2021risk 0.00cvss —epss 0.02
Share/IncomingWizard.htm in SolarWinds Serv-U before 15.2.3 mishandles the user-supplied SenderEmail parameter, aka "Share URL XSS."
- CVE-2020-22428May 5, 2021risk 0.00cvss —epss 0.01
SolarWinds Serv-U before 15.1.6 Hotfix 3 is affected by Cross Site Scripting (XSS) via a directory name (entered by an admin) containing a JavaScript payload.
- CVE-2021-25179May 5, 2021risk 0.00cvss —epss 0.01
SolarWinds Serv-U before 15.2 is affected by Cross Site Scripting (XSS) via the HTTP Host header.
Page 4 of 6