CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47132
https://notcve.org/view.php?id=CVE-2023-47132
08 Feb 2024 — An issue discovered in N-able N-central before 2023.6 and earlier allows attackers to gain escalated privileges via API calls. Un problema descubierto en N-able N-central antes de 2023.6 y anteriores permite a los atacantes obtener privilegios elevados a través de llamadas API. • https://me.n-able.com/s/security-advisory/aArHs000000M8CHKA0/cve202347132-ncentral-api-privilege-escalation • CWE-269: Improper Privilege Management •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30297
https://notcve.org/view.php?id=CVE-2023-30297
03 Aug 2023 — An issue found in N-able Technologies N-central Server before 2023.4 allows a local attacker to execute arbitrary code via the monitoring function of the server. Un problema encontrado en N-central Server de N-able Technologies para versiones anteriores a 2023.4 permite a un atacante local ejecutar código arbitrario a través de la función de monitorización del servidor. • https://status.n-able.com/2023/07/27/cve-2023-30297-release-note •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25622
https://notcve.org/view.php?id=CVE-2020-25622
16 Dec 2020 — An issue was discovered in SolarWinds N-Central 12.3.0.670. The AdvancedScripts HTTP endpoint allows CSRF. Se detectó un problema en SolarWinds N-Central versión 12.3.0.670. El endpoint HTTP AdvancedScripts permite un ataque de tipo CSRF • https://ernw.de/en/publications.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25621
https://notcve.org/view.php?id=CVE-2020-25621
16 Dec 2020 — An issue was discovered in SolarWinds N-Central 12.3.0.670. The local database does not require authentication: security is only based on ability to access a network interface. The database has keys and passwords. Se detectó un problema en SolarWinds N-Central versión 12.3.0.670. La base de datos local no requiere autenticación: la seguridad solo es basada en la capacidad de acceder a una interfaz de red. • https://ernw.de/en/publications.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25620
https://notcve.org/view.php?id=CVE-2020-25620
16 Dec 2020 — An issue was discovered in SolarWinds N-Central 12.3.0.670. Hard-coded Credentials exist by default for local user accounts named support@n-able.com and nableadmin@n-able.com. These allow logins to the N-Central Administrative Console (NAC) and/or the regular web interface. Se detectó un problema en SolarWinds N-Central versión 12.3.0.670. Se presentan Credenciales Embebidas por defecto para las cuentas de usuario locales denominadas support@n-able.com y nableadmin@n-able.com. • https://ernw.de/en/publications.html • CWE-798: Use of Hard-coded Credentials •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25619
https://notcve.org/view.php?id=CVE-2020-25619
16 Dec 2020 — An issue was discovered in SolarWinds N-Central 12.3.0.670. The SSH component does not restrict the Communication Channel to Intended Endpoints. An attacker can leverage an SSH feature (port forwarding with a temporary key pair) to access network services on the 127.0.0.1 interface, even though this feature was only intended for user-to-agent communication. Se detectó un problema en SolarWinds N-Central versión 12.3.0.670. El componente SSH no restringe el Canal de Comunicación a unos Endpoints Previst... • https://ernw.de/en/publications.html •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25618
https://notcve.org/view.php?id=CVE-2020-25618
16 Dec 2020 — An issue was discovered in SolarWinds N-Central 12.3.0.670. The sudo configuration has incorrect access control because the nable web user account is effectively able to run arbitrary OS commands as root (i.e., the use of root privileges is not limited to specific programs listed in the sudoers file). Se detectó un problema en SolarWinds N-Central versión 12.3.0.670. La configuración de sudo presenta un control de acceso incorrecto porque la cuenta de usuario web nable puede ejecutar comandos arbitrari... • https://ernw.de/en/publications.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25617
https://notcve.org/view.php?id=CVE-2020-25617
16 Dec 2020 — An issue was discovered in SolarWinds N-Central 12.3.0.670. The AdvancedScripts HTTP endpoint allows Relative Path Traversal by an authenticated user of the N-Central Administration Console (NAC), leading to execution of OS commands as root. Se detectó un problema en SolarWinds N-Central versión 12.3.0.670. El endpoint HTTP AdvancedScripts permite un Salto de Ruta Relativo por parte de un usuario autenticado del N-Central Administration Console (NAC), conllevando a una ejecución de los comandos del Sis... • https://ernw.de/en/publications.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15909
https://notcve.org/view.php?id=CVE-2020-15909
19 Oct 2020 — SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. The N-Central JSESSIONID cookie attribute is not checked against multiple sources such as sourceip, MFA claim, etc. as long as the victim stays logged in within N-Central. To take advantage of this, cookie could be stolen and the JSESSIONID can be captured. On its own this is not a surprising result; low security tools allow the cookie to roam from machine to machine. The JSESSION cookie can then b... • https://limenetworks.nl/wp-content/uploads/CVE-934261-v-1.2.pdf • CWE-384: Session Fixation •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15910
https://notcve.org/view.php?id=CVE-2020-15910
19 Oct 2020 — SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be forwarded to the attacker. SolarWinds N-Central versiones hasta 12.3 GA y anteriores, no establece el atributo JSESSIONID en HTTPOnly. • https://limenetworks.nl/wp-content/uploads/CVE-934261-v-1.2.pdf • CWE-732: Incorrect Permission Assignment for Critical Resource •