Vendor CVEs
SolarWinds
All CVEs
266 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-3154 | 0.00 | — | 0.01 | May 4, 2021 | An issue was discovered in SolarWinds Serv-U before 15.2.2. Unauthenticated attackers can retrieve cleartext passwords via macro Injection. NOTE: this had a distinct fix relative to CVE-2020-35481. | |||
| CVE-2021-27277 | 0.00 | — | 0.01 | Apr 22, 2021 | This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Orion Virtual Infrastructure Monitor 2020.2. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this… | |||
| CVE-2021-27240 | 0.00 | — | 0.00 | Mar 29, 2021 | This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Patch Manager 2020.2.1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific… | |||
| CVE-2020-35856 | 0.00 | — | 0.01 | Mar 26, 2021 | SolarWinds Orion Platform before 2020.2.5 allows stored XSS attacks by an administrator on the Customize View page. | |||
| CVE-2021-3109 | 0.00 | — | 0.01 | Mar 26, 2021 | The custom menu item options page in SolarWinds Orion Platform before 2020.2.5 allows Reverse Tabnabbing in the context of an administrator account. | |||
| CVE-2021-25276 | 0.00 | — | 0.00 | Feb 3, 2021 | In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users' password hashes) that is world readable and writable. An unprivileged Windows user (having access to the server's filesystem) can add an FTP user by copying a… | |||
| CVE-2021-25275 | 0.00 | — | 0.01 | Feb 3, 2021 | SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL Server backend, and stores database credentials to access this backend in a file readable by unprivileged users. As a result, any user having access to the filesystem can… | |||
| CVE-2020-28001 | 0.00 | — | 0.04 | Feb 3, 2021 | SolarWinds Serv-U before 15.2.2 allows Authenticated Stored XSS. | |||
| CVE-2020-27994 | 0.00 | — | 0.04 | Feb 3, 2021 | SolarWinds Serv-U before 15.2.2 allows Authenticated Directory Traversal. | |||
| CVE-2020-35482 | 0.00 | — | 0.02 | Feb 3, 2021 | SolarWinds Serv-U before 15.2.2 allows authenticated reflected XSS. | |||
| CVE-2020-35481 | 0.00 | — | 0.01 | Feb 3, 2021 | SolarWinds Serv-U before 15.2.2 allows Unauthenticated Macro Injection. | |||
| CVE-2020-5684 | 0.00 | — | 0.00 | Dec 24, 2020 | iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to eavesdrop on an encrypted communication or alter the communication via a crafted… | |||
| CVE-2020-25622 | 0.00 | — | 0.01 | Dec 16, 2020 | An issue was discovered in SolarWinds N-Central 12.3.0.670. The AdvancedScripts HTTP endpoint allows CSRF. | |||
| CVE-2020-25621 | 0.00 | — | 0.01 | Dec 16, 2020 | An issue was discovered in SolarWinds N-Central 12.3.0.670. The local database does not require authentication: security is only based on ability to access a network interface. The database has keys and passwords. | |||
| CVE-2020-25620 | 0.00 | — | 0.00 | Dec 16, 2020 | An issue was discovered in SolarWinds N-Central 12.3.0.670. Hard-coded Credentials exist by default for local user accounts named support@n-able.com and nableadmin@n-able.com. These allow logins to the N-Central Administrative Console (NAC) and/or the regular web interface. | |||
| CVE-2020-25619 | 0.00 | — | 0.00 | Dec 16, 2020 | An issue was discovered in SolarWinds N-Central 12.3.0.670. The SSH component does not restrict the Communication Channel to Intended Endpoints. An attacker can leverage an SSH feature (port forwarding with a temporary key pair) to access network services on the 127.0.0.1… | |||
| CVE-2020-25618 | 0.00 | — | 0.03 | Dec 16, 2020 | An issue was discovered in SolarWinds N-Central 12.3.0.670. The sudo configuration has incorrect access control because the nable web user account is effectively able to run arbitrary OS commands as root (i.e., the use of root privileges is not limited to specific programs… | |||
| CVE-2018-16243 | 0.00 | — | 0.01 | Dec 15, 2020 | SolarWinds Database Performance Analyzer (DPA) 11.1.468 and 12.0.3074 have several persistent XSS vulnerabilities, related to logViewer.iwc, centralManage.cen, userAdministration.iwc, database.iwc, alertManagement.iwc, eventAnnotations.iwc, and central.cen. | |||
| CVE-2020-15910 | 0.00 | — | 0.06 | Oct 19, 2020 | SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This… | |||
| CVE-2020-15909 | 0.00 | — | 0.02 | Oct 19, 2020 | SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. The N-Central JSESSIONID cookie attribute is not checked against multiple sources such as sourceip, MFA claim, etc. as long as the victim stays logged in within… | |||
| CVE-2020-13169 | 0.00 | — | 0.02 | Sep 17, 2020 | Stored XSS (Cross-Site Scripting) exists in the SolarWinds Orion Platform before before 2020.2.1 on multiple forms and pages. This vulnerability may lead to the Information Disclosure and Escalation of Privileges (takeover of administrator account). | |||
| CVE-2020-15573 | 0.00 | — | 0.02 | Jul 7, 2020 | SolarWinds Serv-U File Server before 15.2.1 has a "Cross-script vulnerability," aka Case Numbers 00041778 and 00306421. | |||
| CVE-2020-15574 | 0.00 | — | 0.02 | Jul 7, 2020 | SolarWinds Serv-U File Server before 15.2.1 mishandles the Same-Site cookie attribute, aka Case Number 00331893. | |||
| CVE-2020-15575 | 0.00 | — | 0.02 | Jul 7, 2020 | SolarWinds Serv-U File Server before 15.2.1 allows XSS as demonstrated by Tenable Scan, aka Case Number 00484194. | |||
| CVE-2020-15576 | 0.00 | — | 0.02 | Jul 7, 2020 | SolarWinds Serv-U File Server before 15.2.1 allows information disclosure via an HTTP response. | |||
| CVE-2020-15543 | 0.00 | — | 0.02 | Jul 5, 2020 | SolarWinds Serv-U FTP server before 15.2.1 does not validate an argument path. | |||
| CVE-2020-15542 | 0.00 | — | 0.02 | Jul 5, 2020 | SolarWinds Serv-U FTP server before 15.2.1 mishandles the CHMOD command. | |||
| CVE-2020-14006 | 0.00 | — | 0.01 | Jun 24, 2020 | Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a Responsible Team. | |||
| CVE-2020-14007 | 0.00 | — | 0.01 | Jun 24, 2020 | Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a name of an alert definition. | |||
| CVE-2020-13912 | 0.00 | — | 0.01 | Jun 7, 2020 | SolarWinds Advanced Monitoring Agent before 10.8.9 allows local users to gain privileges via a Trojan horse .exe file, because everyone can write to a certain .exe file. | |||
| CVE-2019-12864 | 0.00 | — | 0.00 | May 4, 2020 | SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) is vulnerable to Information Leakage, because of improper error handling with stack traces, as demonstrated by discovering a full pathname upon a 500 Internal Server Error via the… | |||
| CVE-2019-20002 | 0.00 | — | 0.01 | Apr 27, 2020 | Formula Injection exists in the export feature in SolarWinds WebHelpDesk 12.7.1 via a value (provided by a low-privileged user in the Subject field of a help request form) that is mishandled in a TicketActions/view?tab=group TSV export by an admin user. | |||
| CVE-2019-12769 | 0.00 | — | 0.01 | Mar 18, 2020 | SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 Hotfix 2 is vulnerable to Cross-Site Request Forgery in the file upload functionality via ?Command=Upload with the Dir and File parameters. | |||
| CVE-2019-12863 | 0.00 | — | 0.01 | Feb 25, 2020 | SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) allows Stored HTML Injection by administrators via the Web Console Settings screen. | |||
| CVE-2019-12954 | 0.00 | — | 0.01 | Feb 17, 2020 | SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, NetPath 1.1.3) allows XSS by authenticated users via a crafted onerror attribute of a VIDEO element in an action for an ALERT. | |||
| CVE-2020-7984 | 0.00 | — | 0.02 | Jan 26, 2020 | SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any… | |||
| CVE-2019-17127 | 0.00 | — | 0.02 | Jan 17, 2020 | A Stored Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many application forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS. This can lead to privilege… | |||
| CVE-2019-17125 | 0.00 | — | 0.02 | Jan 17, 2020 | A Reflected Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS. | |||
| CVE-2019-19829 | 0.00 | — | 0.02 | Dec 18, 2019 | A cross-site scripting (XSS) vulnerability exists in SolarWinds Serv-U FTP Server 15.1.7 in the email parameter, a different vulnerability than CVE-2018-19934 and CVE-2019-13182. | |||
| CVE-2019-13182 | 0.00 | — | 0.06 | Dec 16, 2019 | A stored cross-site scripting (XSS) vulnerability exists in the web UI of SolarWinds Serv-U FTP Server 15.1.7. | |||
| CVE-2019-13181 | 0.00 | — | 0.03 | Dec 16, 2019 | A CSV injection vulnerability exists in the web UI of SolarWinds Serv-U FTP Server v15.1.7. | |||
| CVE-2018-13442 | 0.00 | — | 0.02 | Jul 16, 2019 | SolarWinds Network Performance Monitor 12.3 allows SQL Injection via the /api/ActiveAlertsOnThisEntity/GetActiveAlerts TriggeringObjectEntityNames parameter. | |||
| CVE-2018-19999 | 0.00 | — | 0.01 | Jun 7, 2019 | The local management interface in SolarWinds Serv-U FTP Server 15.1.6.25 has incorrect access controls that permit local users to bypass authentication in the application and execute code in the context of the Windows SYSTEM account, leading to privilege escalation. To exploit… | |||
| CVE-2018-15906 | 0.00 | — | 0.08 | Mar 17, 2019 | SolarWinds Serv-U FTP Server 15.1.6 allows remote authenticated users to execute arbitrary code by leveraging the Import feature and modifying a CSV file. | |||
| CVE-2018-19934 | 0.00 | — | 0.06 | Mar 17, 2019 | SolarWinds Serv-U FTP Server 15.1.6.25 has reflected cross-site scripting (XSS) in the Web management interface via URL path and HTTP POST parameter. | |||
| CVE-2019-9546 | 0.00 | — | 0.03 | Mar 1, 2019 | SolarWinds Orion Platform before 2018.4 Hotfix 2 allows privilege escalation through the RabbitMQ service. | |||
| CVE-2018-16792 | 0.00 | — | 0.01 | Dec 5, 2018 | SolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via a world readable and writable configuration file that allows an attacker to exfiltrate data. | |||
| CVE-2018-16791 | 0.00 | — | 0.02 | Dec 5, 2018 | In SolarWinds SFTP/SCP Server through 2018-09-10, the configuration file is world readable and writable, and stores user passwords in an insecure manner, allowing an attacker to determine passwords for potentially privileged accounts. This also grants the attacker an ability to… | |||
| CVE-2015-8220 | 0.00 | — | 0.05 | Nov 17, 2015 | Stack-based buffer overflow in the URI handler in DWRCC.exe in SolarWinds DameWare Mini Remote Control before 12.0 HotFix 1 allows remote attackers to execute arbitrary code via a crafted commandline argument in a link. | |||
| CVE-2015-7840 | 0.00 | — | 0.04 | Oct 15, 2015 | The command line management console (CMC) in SolarWinds Log and Event Manager (LEM) before 6.2.0 allows remote attackers to execute arbitrary code via unspecified vectors involving the ping feature. |
- CVE-2021-3154May 4, 2021risk 0.00cvss —epss 0.01
An issue was discovered in SolarWinds Serv-U before 15.2.2. Unauthenticated attackers can retrieve cleartext passwords via macro Injection. NOTE: this had a distinct fix relative to CVE-2020-35481.
- CVE-2021-27277Apr 22, 2021risk 0.00cvss —epss 0.01
This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Orion Virtual Infrastructure Monitor 2020.2. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this…
- CVE-2021-27240Mar 29, 2021risk 0.00cvss —epss 0.00
This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Patch Manager 2020.2.1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific…
- CVE-2020-35856Mar 26, 2021risk 0.00cvss —epss 0.01
SolarWinds Orion Platform before 2020.2.5 allows stored XSS attacks by an administrator on the Customize View page.
- CVE-2021-3109Mar 26, 2021risk 0.00cvss —epss 0.01
The custom menu item options page in SolarWinds Orion Platform before 2020.2.5 allows Reverse Tabnabbing in the context of an administrator account.
- CVE-2021-25276Feb 3, 2021risk 0.00cvss —epss 0.00
In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users' password hashes) that is world readable and writable. An unprivileged Windows user (having access to the server's filesystem) can add an FTP user by copying a…
- CVE-2021-25275Feb 3, 2021risk 0.00cvss —epss 0.01
SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL Server backend, and stores database credentials to access this backend in a file readable by unprivileged users. As a result, any user having access to the filesystem can…
- CVE-2020-28001Feb 3, 2021risk 0.00cvss —epss 0.04
SolarWinds Serv-U before 15.2.2 allows Authenticated Stored XSS.
- CVE-2020-27994Feb 3, 2021risk 0.00cvss —epss 0.04
SolarWinds Serv-U before 15.2.2 allows Authenticated Directory Traversal.
- CVE-2020-35482Feb 3, 2021risk 0.00cvss —epss 0.02
SolarWinds Serv-U before 15.2.2 allows authenticated reflected XSS.
- CVE-2020-35481Feb 3, 2021risk 0.00cvss —epss 0.01
SolarWinds Serv-U before 15.2.2 allows Unauthenticated Macro Injection.
- CVE-2020-5684Dec 24, 2020risk 0.00cvss —epss 0.00
iSM client versions from V5.1 prior to V12.1 running on NEC Storage Manager or NEC Storage Manager Express does not verify a server certificate properly, which allows a man-in-the-middle attacker to eavesdrop on an encrypted communication or alter the communication via a crafted…
- CVE-2020-25622Dec 16, 2020risk 0.00cvss —epss 0.01
An issue was discovered in SolarWinds N-Central 12.3.0.670. The AdvancedScripts HTTP endpoint allows CSRF.
- CVE-2020-25621Dec 16, 2020risk 0.00cvss —epss 0.01
An issue was discovered in SolarWinds N-Central 12.3.0.670. The local database does not require authentication: security is only based on ability to access a network interface. The database has keys and passwords.
- CVE-2020-25620Dec 16, 2020risk 0.00cvss —epss 0.00
An issue was discovered in SolarWinds N-Central 12.3.0.670. Hard-coded Credentials exist by default for local user accounts named support@n-able.com and nableadmin@n-able.com. These allow logins to the N-Central Administrative Console (NAC) and/or the regular web interface.
- CVE-2020-25619Dec 16, 2020risk 0.00cvss —epss 0.00
An issue was discovered in SolarWinds N-Central 12.3.0.670. The SSH component does not restrict the Communication Channel to Intended Endpoints. An attacker can leverage an SSH feature (port forwarding with a temporary key pair) to access network services on the 127.0.0.1…
- CVE-2020-25618Dec 16, 2020risk 0.00cvss —epss 0.03
An issue was discovered in SolarWinds N-Central 12.3.0.670. The sudo configuration has incorrect access control because the nable web user account is effectively able to run arbitrary OS commands as root (i.e., the use of root privileges is not limited to specific programs…
- CVE-2018-16243Dec 15, 2020risk 0.00cvss —epss 0.01
SolarWinds Database Performance Analyzer (DPA) 11.1.468 and 12.0.3074 have several persistent XSS vulnerabilities, related to logViewer.iwc, centralManage.cen, userAdministration.iwc, database.iwc, alertManagement.iwc, eventAnnotations.iwc, and central.cen.
- CVE-2020-15910Oct 19, 2020risk 0.00cvss —epss 0.06
SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This…
- CVE-2020-15909Oct 19, 2020risk 0.00cvss —epss 0.02
SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. The N-Central JSESSIONID cookie attribute is not checked against multiple sources such as sourceip, MFA claim, etc. as long as the victim stays logged in within…
- CVE-2020-13169Sep 17, 2020risk 0.00cvss —epss 0.02
Stored XSS (Cross-Site Scripting) exists in the SolarWinds Orion Platform before before 2020.2.1 on multiple forms and pages. This vulnerability may lead to the Information Disclosure and Escalation of Privileges (takeover of administrator account).
- CVE-2020-15573Jul 7, 2020risk 0.00cvss —epss 0.02
SolarWinds Serv-U File Server before 15.2.1 has a "Cross-script vulnerability," aka Case Numbers 00041778 and 00306421.
- CVE-2020-15574Jul 7, 2020risk 0.00cvss —epss 0.02
SolarWinds Serv-U File Server before 15.2.1 mishandles the Same-Site cookie attribute, aka Case Number 00331893.
- CVE-2020-15575Jul 7, 2020risk 0.00cvss —epss 0.02
SolarWinds Serv-U File Server before 15.2.1 allows XSS as demonstrated by Tenable Scan, aka Case Number 00484194.
- CVE-2020-15576Jul 7, 2020risk 0.00cvss —epss 0.02
SolarWinds Serv-U File Server before 15.2.1 allows information disclosure via an HTTP response.
- CVE-2020-15543Jul 5, 2020risk 0.00cvss —epss 0.02
SolarWinds Serv-U FTP server before 15.2.1 does not validate an argument path.
- CVE-2020-15542Jul 5, 2020risk 0.00cvss —epss 0.02
SolarWinds Serv-U FTP server before 15.2.1 mishandles the CHMOD command.
- CVE-2020-14006Jun 24, 2020risk 0.00cvss —epss 0.01
Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a Responsible Team.
- CVE-2020-14007Jun 24, 2020risk 0.00cvss —epss 0.01
Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a name of an alert definition.
- CVE-2020-13912Jun 7, 2020risk 0.00cvss —epss 0.01
SolarWinds Advanced Monitoring Agent before 10.8.9 allows local users to gain privileges via a Trojan horse .exe file, because everyone can write to a certain .exe file.
- CVE-2019-12864May 4, 2020risk 0.00cvss —epss 0.00
SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) is vulnerable to Information Leakage, because of improper error handling with stack traces, as demonstrated by discovering a full pathname upon a 500 Internal Server Error via the…
- CVE-2019-20002Apr 27, 2020risk 0.00cvss —epss 0.01
Formula Injection exists in the export feature in SolarWinds WebHelpDesk 12.7.1 via a value (provided by a low-privileged user in the Subject field of a help request form) that is mishandled in a TicketActions/view?tab=group TSV export by an admin user.
- CVE-2019-12769Mar 18, 2020risk 0.00cvss —epss 0.01
SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 Hotfix 2 is vulnerable to Cross-Site Request Forgery in the file upload functionality via ?Command=Upload with the Dir and File parameters.
- CVE-2019-12863Feb 25, 2020risk 0.00cvss —epss 0.01
SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) allows Stored HTML Injection by administrators via the Web Console Settings screen.
- CVE-2019-12954Feb 17, 2020risk 0.00cvss —epss 0.01
SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, NetPath 1.1.3) allows XSS by authenticated users via a crafted onerror attribute of a VIDEO element in an action for an ALERT.
- CVE-2020-7984Jan 26, 2020risk 0.00cvss —epss 0.02
SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any…
- CVE-2019-17127Jan 17, 2020risk 0.00cvss —epss 0.02
A Stored Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many application forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS. This can lead to privilege…
- CVE-2019-17125Jan 17, 2020risk 0.00cvss —epss 0.02
A Reflected Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS.
- CVE-2019-19829Dec 18, 2019risk 0.00cvss —epss 0.02
A cross-site scripting (XSS) vulnerability exists in SolarWinds Serv-U FTP Server 15.1.7 in the email parameter, a different vulnerability than CVE-2018-19934 and CVE-2019-13182.
- CVE-2019-13182Dec 16, 2019risk 0.00cvss —epss 0.06
A stored cross-site scripting (XSS) vulnerability exists in the web UI of SolarWinds Serv-U FTP Server 15.1.7.
- CVE-2019-13181Dec 16, 2019risk 0.00cvss —epss 0.03
A CSV injection vulnerability exists in the web UI of SolarWinds Serv-U FTP Server v15.1.7.
- CVE-2018-13442Jul 16, 2019risk 0.00cvss —epss 0.02
SolarWinds Network Performance Monitor 12.3 allows SQL Injection via the /api/ActiveAlertsOnThisEntity/GetActiveAlerts TriggeringObjectEntityNames parameter.
- CVE-2018-19999Jun 7, 2019risk 0.00cvss —epss 0.01
The local management interface in SolarWinds Serv-U FTP Server 15.1.6.25 has incorrect access controls that permit local users to bypass authentication in the application and execute code in the context of the Windows SYSTEM account, leading to privilege escalation. To exploit…
- CVE-2018-15906Mar 17, 2019risk 0.00cvss —epss 0.08
SolarWinds Serv-U FTP Server 15.1.6 allows remote authenticated users to execute arbitrary code by leveraging the Import feature and modifying a CSV file.
- CVE-2018-19934Mar 17, 2019risk 0.00cvss —epss 0.06
SolarWinds Serv-U FTP Server 15.1.6.25 has reflected cross-site scripting (XSS) in the Web management interface via URL path and HTTP POST parameter.
- CVE-2019-9546Mar 1, 2019risk 0.00cvss —epss 0.03
SolarWinds Orion Platform before 2018.4 Hotfix 2 allows privilege escalation through the RabbitMQ service.
- CVE-2018-16792Dec 5, 2018risk 0.00cvss —epss 0.01
SolarWinds SFTP/SCP server through 2018-09-10 is vulnerable to XXE via a world readable and writable configuration file that allows an attacker to exfiltrate data.
- CVE-2018-16791Dec 5, 2018risk 0.00cvss —epss 0.02
In SolarWinds SFTP/SCP Server through 2018-09-10, the configuration file is world readable and writable, and stores user passwords in an insecure manner, allowing an attacker to determine passwords for potentially privileged accounts. This also grants the attacker an ability to…
- CVE-2015-8220Nov 17, 2015risk 0.00cvss —epss 0.05
Stack-based buffer overflow in the URI handler in DWRCC.exe in SolarWinds DameWare Mini Remote Control before 12.0 HotFix 1 allows remote attackers to execute arbitrary code via a crafted commandline argument in a link.
- CVE-2015-7840Oct 15, 2015risk 0.00cvss —epss 0.04
The command line management console (CMC) in SolarWinds Log and Event Manager (LEM) before 6.2.0 allows remote attackers to execute arbitrary code via unspecified vectors involving the ping feature.
Page 5 of 6