Filtered by vendor Solarwinds
Subscriptions
Total
269 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2021-25275 | 1 Solarwinds | 1 Orion Platform | 2024-08-03 | 7.8 High |
SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL Server backend, and stores database credentials to access this backend in a file readable by unprivileged users. As a result, any user having access to the filesystem can read database login details from that file, including the login name and its associated password. Then, the credentials can be used to get database owner access to the SWNetPerfMon.DB database. This gives access to the data collected by SolarWinds applications, and leads to admin access to the applications by inserting or changing authentication data stored in the Accounts table of the database. | ||||
CVE-2021-25274 | 1 Solarwinds | 1 Orion Platform | 2024-08-03 | 9.8 Critical |
The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem. | ||||
CVE-2021-25179 | 1 Solarwinds | 1 Serv-u File Server | 2024-08-03 | 6.1 Medium |
SolarWinds Serv-U before 15.2 is affected by Cross Site Scripting (XSS) via the HTTP Host header. | ||||
CVE-2021-3154 | 1 Solarwinds | 1 Serv-u | 2024-08-03 | 7.5 High |
An issue was discovered in SolarWinds Serv-U before 15.2.2. Unauthenticated attackers can retrieve cleartext passwords via macro Injection. NOTE: this had a distinct fix relative to CVE-2020-35481. | ||||
CVE-2021-3109 | 1 Solarwinds | 1 Orion Platform | 2024-08-03 | 4.8 Medium |
The custom menu item options page in SolarWinds Orion Platform before 2020.2.5 allows Reverse Tabnabbing in the context of an administrator account. | ||||
CVE-2022-47509 | 1 Solarwinds | 1 Orion Platform | 2024-08-03 | 6.1 Medium |
The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML. | ||||
CVE-2022-47506 | 1 Solarwinds | 1 Orion Platform | 2024-08-03 | 7.8 High |
SolarWinds Platform was susceptible to the Directory Traversal Vulnerability. This vulnerability allows a local adversary with authenticated account access to edit the default configuration, enabling the execution of arbitrary commands. | ||||
CVE-2022-47504 | 1 Solarwinds | 1 Orion Platform | 2024-08-03 | 7.2 High |
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | ||||
CVE-2022-47508 | 1 Solarwinds | 1 Server And Application Monitor | 2024-08-03 | 7.5 High |
Customers who had configured their polling to occur via Kerberos did not expect NTLM Traffic on their environment, but since we were querying for data via IP address this prevented us from utilizing Kerberos. | ||||
CVE-2022-47503 | 1 Solarwinds | 1 Orion Platform | 2024-08-03 | 7.2 High |
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | ||||
CVE-2022-47507 | 1 Solarwinds | 1 Orion Platform | 2024-08-03 | 7.2 High |
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | ||||
CVE-2022-47505 | 1 Solarwinds | 1 Orion Platform | 2024-08-03 | 7.8 High |
The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges. | ||||
CVE-2022-47012 | 1 Solarwinds | 1 Dynamips | 2024-08-03 | 7.5 High |
Use of uninitialized variable in function gen_eth_recv in GNS3 dynamips 0.2.21. | ||||
CVE-2022-38114 | 1 Solarwinds | 1 Security Event Manager | 2024-08-03 | 6.1 Medium |
This vulnerability occurs when a web server fails to correctly process the Content-Length of POST requests. This can lead to HTTP request smuggling or XSS. | ||||
CVE-2022-38106 | 1 Solarwinds | 1 Serv-u | 2024-08-03 | 5.4 Medium |
This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function. | ||||
CVE-2022-38112 | 1 Solarwinds | 1 Database Performance Analyzer | 2024-08-03 | 7.5 High |
In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext. | ||||
CVE-2022-38111 | 1 Solarwinds | 1 Orion Platform | 2024-08-03 | 7.2 High |
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | ||||
CVE-2022-38115 | 1 Solarwinds | 1 Security Event Manager | 2024-08-03 | 5.3 Medium |
Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT | ||||
CVE-2022-38110 | 1 Solarwinds | 1 Database Performance Analyzer | 2024-08-03 | 5.4 Medium |
In Database Performance Analyzer (DPA) 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting. | ||||
CVE-2022-38113 | 1 Solarwinds | 1 Security Event Manager | 2024-08-03 | 5.3 Medium |
This vulnerability discloses build and services versions in the server response header. |