Solarwinds

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-35227 1Solarwinds 1Access Rights Manager Nov 21, 2024 Oct 21, 2021 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available.
CVE-2021-35225 1Solarwinds 1Network Performance Monitor Nov 21, 2024 Oct 21, 2021 N/A· v4 6.4 MEDIUM· v3 5.5 MEDIUM· v2 Each authenticated Orion Platform user in a MSP (Managed Service Provider) environment can view and browse all NetPath Services from all that MSP's customers. This can lead to any user having a limited insight into other...Show more Each authenticated Orion Platform user in a MSP (Managed Service Provider) environment can view and browse all NetPath Services from all that MSP's customers. This can lead to any user having a limited insight into other customer's infrastructure and potential data cross-contamination.Show less
CVE-2021-35214 1Solarwinds 1Pingdom Nov 21, 2024 Oct 12, 2021 N/A· v4 4.7 MEDIUM· v3 1.9 LOW· v2 The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a...Show more The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session. This issue has been resolved on September 13, 2021.Show less
CVE-2021-35217 1Solarwinds 1Patch Manager Nov 21, 2024 Sep 8, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by exe...Show more Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted data.Show less
CVE-2021-35218 1Solarwinds 1Orion Platform Nov 21, 2024 Sep 1, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. An unauthorized attacker who has network access to the Orion Patch Manager Web Console could potentially exploit this...Show more Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. An unauthorized attacker who has network access to the Orion Patch Manager Web Console could potentially exploit this and compromise the serverShow less
CVE-2021-35216 1Solarwinds 1Patch Manager Nov 21, 2024 Sep 1, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Insecure Deserialization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module. An Authenticated Attacker with network access via HTTP can compromise this...Show more Insecure Deserialization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module. An Authenticated Attacker with network access via HTTP can compromise this vulnerability can result in Remote Code Execution.Show less
CVE-2021-35215 1Solarwinds 1Orion Platform Nov 21, 2024 Sep 1, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability.
CVE-2021-35238 1Solarwinds 1Orion Platform Nov 21, 2024 Sep 1, 2021 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 User with Orion Platform Admin Rights could store XSS through URL POST parameter in CreateExternalWebsite website.
CVE-2021-35212 1Solarwinds 1Orion Platform Nov 21, 2024 Aug 31, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content includi...Show more An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user.Show less
CVE-2021-35240 1Solarwinds 1Orion Platform Nov 21, 2024 Aug 31, 2021 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 A security researcher stored XSS via a Help Server setting. This affects customers using Internet Explorer, because they do not support 'rel=noopener'.
CVE-2021-35239 1Solarwinds 1Orion Platform Nov 21, 2024 Aug 31, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A security researcher found a user with Orion map manage rights could store XSS through via text box hyperlink.
CVE-2021-35223 1Solarwinds 1Serv U Nov 21, 2024 Aug 31, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The Serv-U File Server allows for events such as user login failures to be audited by executing a command. This command can be supplied with parameters that can take the form of user string variables, allowing remote cod...Show more The Serv-U File Server allows for events such as user login failures to be audited by executing a command. This command can be supplied with parameters that can take the form of user string variables, allowing remote code execution.Show less
CVE-2021-35213 1Solarwinds 1Orion Platform Nov 21, 2024 Aug 31, 2021 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerabil...Show more An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerability. Authentication is required to exploit the vulnerability.Show less
CVE-2021-35222 1Solarwinds 1Orion Platform Nov 21, 2024 Aug 31, 2021 N/A· v4 9.6 CRITICAL· v3 4.3 MEDIUM· v2 This vulnerability allows attackers to impersonate users and perform arbitrary actions leading to a Remote Code Execution (RCE) from the Alerts Settings page.
CVE-2021-35221 1Solarwinds 1Orion Platform Nov 21, 2024 Aug 31, 2021 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 Improper Access Control Tampering Vulnerability using ImportAlert function which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.
CVE-2021-35220 1Solarwinds 1Orion Platform Nov 21, 2024 Aug 31, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Command Injection vulnerability in EmailWebPage API which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.
CVE-2021-35219 1Solarwinds 1Orion Platform Nov 21, 2024 Aug 31, 2021 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 ExportToPdfCmd Arbitrary File Read Information Disclosure Vulnerability using ImportAlert function within the Alerts Settings page.
CVE-2021-32076 1Solarwinds 1Web Help Desk Nov 21, 2024 Aug 26, 2021 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the 'Web Help Desk Getting Started Wizard', especially the admin account creation page, from a non-pr...Show more Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the 'Web Help Desk Getting Started Wizard', especially the admin account creation page, from a non-privileged IP address network range or loopback address by intercepting the HTTP request and changing the referrer from the public IP address to the loopback.Show less
CVE-2021-28674 1Solarwinds 1Orion Platform Nov 21, 2024 Jul 30, 2021 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions. This occurs because nod...Show more The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions. This occurs because node IDs are predictable (with incrementing numbers) and the access control on Services/NodeManagement.asmx/DeleteObjNow is incorrect. To exploit this, an attacker must be authenticated and must have node management rights associated with at least one valid group on the platform.Show less
CVE-2021-35211 1Solarwinds 1Serv U Oct 27, 2025 Jul 14, 2021 N/A· v4 10.0 CRITICAL· v3 10.0 HIGH· v2 Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the...Show more Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.Show less

Previous 1...8910...16 Next