CVE-2023-33231 - Vulnerability Details - OpenCVE

XSS attack was possible in DPA 2023.2 due to insufficient input validation

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00492.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Solarwinds	Database Performance Analyzer

Configuration 1 [-]

cpe:2.3:a:solarwinds:database_performance_analyzer:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-37401	XSS attack was possible in DPA 2023.2 due to insufficient input validation

Fixes

Solution

All SolarWinds Database Performance Analyzer customers are advised to upgrade to the latest version of the SolarWinds Database Performance Analyzer version 2023.2.100

Workaround

No workaround given by the vendor.

References

Link	Providers
https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2023-2-100_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-33231

History

Mon, 21 Oct 2024 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published: 2023-07-18T16:50:43.296Z

Updated: 2024-10-21T18:55:07.589Z

Reserved: 2023-05-18T17:07:54.139Z

Link: CVE-2023-33231

Vulnrichment

Updated: 2024-08-02T15:39:35.783Z

NVD

Status : Modified

Published: 2023-07-18T17:15:11.397

Modified: 2024-11-21T08:05:12.050

Link: CVE-2023-33231

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-33231", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "state": "PUBLISHED", "assignerShortName": "SolarWinds", "dateReserved": "2023-05-18T17:07:54.139Z", "datePublished": "2023-07-18T16:50:43.296Z", "dateUpdated": "2024-10-21T18:55:07.589Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows"], "product": "DPA", "vendor": "SolarWinds", "versions": [{"status": "affected", "version": "2023.2 and previous versions"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Shashank Chaurasia"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "XSS attack was possible in DPA 2023.2 due to insufficient input validation"}], "value": "XSS attack was possible in DPA 2023.2 due to insufficient input validation"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-08-03T20:25:05.945Z"}, "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-33231"}, {"url": "https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2023-2-100_release_notes.htm"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nAll SolarWinds Database Performance Analyzer customers are advised to upgrade to the latest version of the SolarWinds Database Performance Analyzer version 2023.2.100<br>\n\n<br>"}], "value": "\nAll SolarWinds Database Performance Analyzer customers are advised to upgrade to the latest version of the SolarWinds Database Performance Analyzer version 2023.2.100\n\n\n\n"}], "source": {"discovery": "EXTERNAL"}, "title": "XSS in SolarWinds Database Performance Analyzer 2023.2", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:39:35.783Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-33231", "tags": ["x_transferred"]}, {"url": "https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2023-2-100_release_notes.htm", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-21T18:54:29.304611Z", "id": "CVE-2023-33231", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-21T18:55:07.589Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-33231", "tags": ["x_transferred"]}, {"url": "https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2023-2-100_release_notes.htm", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:39:35.783Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-33231", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-21T18:54:29.304611Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-21T18:55:00.284Z"}}], "cna": {"title": "XSS in SolarWinds Database Performance Analyzer 2023.2", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Shashank Chaurasia"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SolarWinds", "product": "DPA", "versions": [{"status": "affected", "version": "2023.2 and previous versions"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "\nAll SolarWinds Database Performance Analyzer customers are advised to upgrade to the latest version of the SolarWinds Database Performance Analyzer version 2023.2.100\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\nAll SolarWinds Database Performance Analyzer customers are advised to upgrade to the latest version of the SolarWinds Database Performance Analyzer version 2023.2.100<br>\n\n<br>", "base64": false}]}], "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-33231"}, {"url": "https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2023-2-100_release_notes.htm"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "XSS attack was possible in DPA 2023.2 due to insufficient input validation", "supportingMedia": [{"type": "text/html", "value": "XSS attack was possible in DPA 2023.2 due to insufficient input validation", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-08-03T20:25:05.945Z"}}}, "cveMetadata": {"cveId": "CVE-2023-33231", "state": "PUBLISHED", "dateUpdated": "2024-10-21T18:55:07.589Z", "dateReserved": "2023-05-18T17:07:54.139Z", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "datePublished": "2023-07-18T16:50:43.296Z", "assignerShortName": "SolarWinds"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:database_performance_analyzer:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0AAD326-F2D3-4B27-9C76-52AA8F38A76C", "versionEndExcluding": "2023.2.100", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "XSS attack was possible in DPA 2023.2 due to insufficient input validation"}], "id": "CVE-2023-33231", "lastModified": "2024-11-21T08:05:12.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "psirt@solarwinds.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-18T17:15:11.397", "references": [{"source": "psirt@solarwinds.com", "tags": ["Release Notes"], "url": "https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2023-2-100_release_notes.htm"}, {"source": "psirt@solarwinds.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-33231"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2023-2-100_release_notes.htm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-33231"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@solarwinds.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}