CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47132
https://notcve.org/view.php?id=CVE-2023-47132
08 Feb 2024 — An issue discovered in N-able N-central before 2023.6 and earlier allows attackers to gain escalated privileges via API calls. Un problema descubierto en N-able N-central antes de 2023.6 y anteriores permite a los atacantes obtener privilegios elevados a través de llamadas API. • https://me.n-able.com/s/security-advisory/aArHs000000M8CHKA0/cve202347132-ncentral-api-privilege-escalation • CWE-269: Improper Privilege Management •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30297
https://notcve.org/view.php?id=CVE-2023-30297
03 Aug 2023 — An issue found in N-able Technologies N-central Server before 2023.4 allows a local attacker to execute arbitrary code via the monitoring function of the server. Un problema encontrado en N-central Server de N-able Technologies para versiones anteriores a 2023.4 permite a un atacante local ejecutar código arbitrario a través de la función de monitorización del servidor. • https://status.n-able.com/2023/07/27/cve-2023-30297-release-note •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2020-15909
https://notcve.org/view.php?id=CVE-2020-15909
19 Oct 2020 — SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. The N-Central JSESSIONID cookie attribute is not checked against multiple sources such as sourceip, MFA claim, etc. as long as the victim stays logged in within N-Central. To take advantage of this, cookie could be stolen and the JSESSIONID can be captured. On its own this is not a surprising result; low security tools allow the cookie to roam from machine to machine. The JSESSION cookie can then b... • https://limenetworks.nl/wp-content/uploads/CVE-934261-v-1.2.pdf • CWE-384: Session Fixation •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15910
https://notcve.org/view.php?id=CVE-2020-15910
19 Oct 2020 — SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be forwarded to the attacker. SolarWinds N-Central versiones hasta 12.3 GA y anteriores, no establece el atributo JSESSIONID en HTTPOnly. • https://limenetworks.nl/wp-content/uploads/CVE-934261-v-1.2.pdf • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-7984
https://notcve.org/view.php?id=CVE-2020-7984
26 Jan 2020 — SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any aspects of the agent/appliance configuration. SolarWinds N-central versiones anteriores a 12.1 SP1 HF5 y versiones 12.2 anteriores a SP1 HF2, permite a atacantes remotos recuperar credenciales de administrador de dominio de texto sin cifr... • https://blog.huntresslabs.com/validating-the-solarwinds-n-central-dumpster-diver-vulnerability-5e3a045982e5 • CWE-319: Cleartext Transmission of Sensitive Information •