Filtered by vendor Solarwinds
Subscribe
Total
253 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-35250 | 1 Solarwinds | 1 Serv-u | 2023-08-03 | 5.0 MEDIUM | 7.5 HIGH |
| A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1. | |||||
| CVE-2021-35248 | 2 Microsoft, Solarwinds | 2 Windows, Orion Platform | 2023-08-03 | 4.0 MEDIUM | 4.3 MEDIUM |
| It has been reported that any Orion user, e.g. guest accounts can query the Orion.UserSettings entity and enumerate users and their basic settings. | |||||
| CVE-2021-35246 | 1 Solarwinds | 1 Engineer\'s Toolset | 2023-08-03 | N/A | 5.3 MEDIUM |
| The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users. | |||||
| CVE-2021-35237 | 1 Solarwinds | 1 Kiwi Syslog Server | 2023-08-03 | 4.3 MEDIUM | 4.3 MEDIUM |
| A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. This is an attack on both the user and the server. | |||||
| CVE-2021-35234 | 1 Solarwinds | 1 Orion Platform | 2023-08-03 | 6.5 MEDIUM | 8.8 HIGH |
| Numerous exposed dangerous functions within Orion Core has allows for read-only SQL injection leading to privileged escalation. An attacker with low-user privileges may steal password hashes and password salt information. | |||||
| CVE-2021-35232 | 1 Solarwinds | 1 Webhelpdesk | 2023-08-03 | 3.6 LOW | 6.1 MEDIUM |
| Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database. | |||||
| CVE-2021-35226 | 1 Solarwinds | 1 Network Configuration Manager | 2023-08-03 | N/A | 6.5 MEDIUM |
| An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role. | |||||
| CVE-2022-47504 | 1 Solarwinds | 1 Orion Platform | 2023-08-03 | N/A | 7.2 HIGH |
| SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | |||||
| CVE-2022-47503 | 1 Solarwinds | 1 Orion Platform | 2023-08-03 | N/A | 7.2 HIGH |
| SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | |||||
| CVE-2022-38115 | 1 Solarwinds | 1 Security Event Manager | 2023-08-03 | N/A | 5.3 MEDIUM |
| Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT | |||||
| CVE-2022-38113 | 1 Solarwinds | 1 Security Event Manager | 2023-08-03 | N/A | 5.3 MEDIUM |
| This vulnerability discloses build and services versions in the server response header. | |||||
| CVE-2022-38110 | 1 Solarwinds | 1 Database Performance Analyzer | 2023-08-03 | N/A | 5.4 MEDIUM |
| In Database Performance Analyzer (DPA) 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting. | |||||
| CVE-2022-38107 | 1 Solarwinds | 1 Sql Sentry | 2023-08-03 | N/A | 5.3 MEDIUM |
| Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details. | |||||
| CVE-2022-38106 | 1 Solarwinds | 1 Serv-u | 2023-08-03 | N/A | 5.4 MEDIUM |
| This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function. | |||||
| CVE-2022-36966 | 1 Solarwinds | 1 Orion Platform | 2023-08-03 | N/A | 5.4 MEDIUM |
| Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous. | |||||
| CVE-2022-36965 | 1 Solarwinds | 1 Solarwinds Platform | 2023-08-03 | N/A | 6.1 MEDIUM |
| Insufficient sanitization of inputs in QoE application input field could lead to stored and Dom based XSS attack. This issue is fixed and released in SolarWinds Platform (2022.3.0). | |||||
| CVE-2022-36963 | 1 Solarwinds | 1 Orion Platform | 2023-08-03 | N/A | 7.2 HIGH |
| The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands. | |||||
| CVE-2022-36961 | 1 Solarwinds | 1 Orion Platform | 2023-08-03 | N/A | 8.8 HIGH |
| A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution. | |||||
| CVE-2021-35252 | 1 Solarwinds | 1 Serv-u | 2023-08-03 | N/A | 7.5 HIGH |
| Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext. | |||||
| CVE-2021-35254 | 1 Solarwinds | 1 Webhelpdesk | 2023-06-26 | 6.5 MEDIUM | 8.8 HIGH |
| SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk. SolarWinds has removed this input field to prevent the misuse of this input in the future. | |||||