4 results (0.011 seconds)

CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0

Each authenticated Orion Platform user in a MSP (Managed Service Provider) environment can view and browse all NetPath Services from all that MSP's customers. This can lead to any user having a limited insight into other customer's infrastructure and potential data cross-contamination. Cada usuario autenticado de Orion Platform en un entorno MSP (Managed Service Provider) puede visualizar y navegar todos los servicios NetPath de todos los clientes de ese MSP. Esto puede conllevar a que cualquier usuario tenga una visión limitada de la infraestructura de otros clientes y una posible contaminación cruzada de datos • https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm https://support.solarwinds.com/SuccessCenter/s/article/NPM-2020-2-6-Hotfix-2?language=en_US https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35225 •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

SolarWinds Network Performance Monitor 12.3 allows SQL Injection via the /api/ActiveAlertsOnThisEntity/GetActiveAlerts TriggeringObjectEntityNames parameter. Network Performance Monitor versión 12.3 de SolarWinds, permite la inyección SQL por medio del parámetro TriggeringObjectEntityNames del archivo /api/ActiveAlertsOnThisEntity/GetActiveAlerts. • https://labs.nettitude.com/blog/cve-2018-13442-solarwinds-npm-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0

The 'Upload logo from external path' function of SolarWinds Network Performance Monitor version 12.0.15300.90 allows remote attackers to cause a denial of service (permanent display of a "Cannot exit above the top directory" error message throughout the entire web application) via a ".." in the path field. In other words, the denial of service is caused by an incorrect implementation of a directory-traversal protection mechanism. La función "Upload logo from external path" de SolarWinds Network Performance Monitor en su versión 12.0.15300.90 permite que los atacantes remotos provoquen una denegación de servicio (muestra permanente de un mensaje de error "Cannot exit above the top directory" en toda la aplicación web) mediante un ".." en el campo path. En otras palabras, la denegación de servicio es provocada por una implementación incorrecta de un mecanismo de protección contra saltos de directorio. SolarWinds Network Performance Monitor version 12.0.15300.90 suffers from a denial of service vulnerability. • http://www.securityfocus.com/archive/1/541263/100/0/threaded http://www.securityfocus.com/bid/101066 • CWE-20: Improper Input Validation •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0

Persistent cross-site scripting (XSS) in the Add Node function of SolarWinds Network Performance Monitor version 12.0.15300.90 allows remote attackers to introduce arbitrary JavaScript into various vulnerable parameters. Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) persistente en la función Add Node de SolarWinds Network Performance Monitor en su versión 12.0.15300.90 que permite que los atacantes remotos introduzcan código JavaScript arbitrario en varios parámetros vulnerables. SolarWinds Network Performance Monitor version 12.0.15300.90 suffers from a cross site scripting vulnerability. • http://www.securityfocus.com/archive/1/541262/100/0/threaded http://www.securityfocus.com/bid/101071 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •