CVE-2022-47509 - Vulnerability Details - OpenCVE

The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00828.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Solarwinds	Orion Platform

Configuration 1 [-]

cpe:2.3:a:solarwinds:orion_platform:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-50270	The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.

Fixes

Solution

All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.2

Workaround

No workaround given by the vendor.

References

Link	Providers
https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47509

History

Tue, 04 Feb 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published: 2023-04-21T00:00:00.000Z

Updated: 2025-02-04T21:11:36.903Z

Reserved: 2022-12-15T00:00:00.000Z

Link: CVE-2022-47509

Vulnrichment

Updated: 2024-08-03T14:55:08.382Z

NVD

Status : Modified

Published: 2023-04-21T20:15:07.247

Modified: 2024-11-21T07:32:06.850

Link: CVE-2022-47509

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-47509", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "assignerShortName": "SolarWinds", "dateUpdated": "2025-02-04T21:11:36.903Z", "dateReserved": "2022-12-15T00:00:00.000Z", "datePublished": "2023-04-21T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SolarWinds Platform", "vendor": "SolarWinds", "versions": [{"lessThanOrEqual": "2023.2", "status": "affected", "version": "2023.1 and prior versions", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "SolarWinds would like to thank Juampa Rodriguez (@UnD3sc0n0c1d0) for reporting on the issue in a responsible manner."}], "datePublic": "2023-04-16T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.</p>"}], "value": "The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-08-03T20:05:48.322Z"}, "references": [{"url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm"}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47509"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.2</p>"}], "value": "All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.2\n\n"}], "source": {"discovery": "EXTERNAL"}, "title": "SolarWinds Platform Incorrect Input Neutralization Vulnerability", "x_generator": {"engine": "vulnogram 0.1.0-rc1"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:55:08.382Z"}, "title": "CVE Program Container", "references": [{"url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm", "tags": ["x_transferred"]}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47509", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-04T21:09:25.484974Z", "id": "CVE-2022-47509", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-04T21:11:36.903Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm", "tags": ["x_transferred"]}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47509", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:55:08.382Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-47509", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-04T21:09:25.484974Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-04T21:09:30.570Z"}}], "cna": {"title": "SolarWinds Platform Incorrect Input Neutralization Vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "SolarWinds would like to thank Juampa Rodriguez (@UnD3sc0n0c1d0) for reporting on the issue in a responsible manner."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SolarWinds", "product": "SolarWinds Platform", "versions": [{"status": "affected", "version": "2023.1 and prior versions", "versionType": "custom", "lessThanOrEqual": "2023.2"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.2\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.2</p>", "base64": false}]}], "datePublic": "2023-04-16T16:00:00.000Z", "references": [{"url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm"}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47509"}], "x_generator": {"engine": "vulnogram 0.1.0-rc1"}, "descriptions": [{"lang": "en", "value": "The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.\n\n", "supportingMedia": [{"type": "text/html", "value": "<p>The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-08-03T20:05:48.322Z"}}}, "cveMetadata": {"cveId": "CVE-2022-47509", "state": "PUBLISHED", "dateUpdated": "2025-02-04T21:11:36.903Z", "dateReserved": "2022-12-15T00:00:00.000Z", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "datePublished": "2023-04-21T00:00:00.000Z", "assignerShortName": "SolarWinds"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:orion_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "813EF4B0-6B36-47B1-9AEE-83040037F7EE", "versionEndExcluding": "2023.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.\n\n"}], "id": "CVE-2022-47509", "lastModified": "2024-11-21T07:32:06.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "psirt@solarwinds.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-04-21T20:15:07.247", "references": [{"source": "psirt@solarwinds.com", "tags": ["Release Notes"], "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm"}, {"source": "psirt@solarwinds.com", "tags": ["Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47509"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47509"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@solarwinds.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}