CVSS: 8.6EPSS: 94%CPEs: 3EXPL: 10CVE-2024-28995 – SolarWinds Serv-U Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2024-28995
06 Jun 2024 — SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine. SolarWinds Serv-U era susceptible a una vulnerabilidad directory transversal que permitiría el acceso para leer archivos confidenciales en la máquina host. SolarWinds Serv-U contains a path traversal vulnerability that allows an attacker access to read sensitive files on the host machine. • https://packetstorm.news/files/id/180707 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-40053 – HTML injection Vulnerability in Serv-U 15.4
https://notcve.org/view.php?id=CVE-2023-40053
06 Dec 2023 — A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously. Se ha identificado una vulnerabilidad en Serv-U 15.4 que permite a un actor autenticado insertar contenido en la función de compartir archivos de Serv-U, que podría usarse de manera maliciosa. • https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-4-1_release_notes.htm • CWE-20: Improper Input Validation •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-40060 – 2FA/MFA Bypass Vulnerability in Serv-U 15.4 and 15.4 Hotfix 1
https://notcve.org/view.php?id=CVE-2023-40060
07 Sep 2023 — A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 15.4. SolarWinds found that the issue was not completely fixed in 15.4 Hotfix 1. Se ha identificado una vulnerabilidad dentro de Serv-U 15.4 y 15.4 Hotfix 1 que, si se explota, permite a un actor eludir la autenticación multifactor/de dos factores. El actor debe tener acc... • https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-0-Hotfix-2?language=en_US • CWE-284: Improper Access Control •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35179 – 2FA/MFA Bypass Vulnerability in Serv-U 15.4
https://notcve.org/view.php?id=CVE-2023-35179
10 Aug 2023 — A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. Se ha identificado una vulnerabilidad dentro de Serv-U 15.4 que, si se explota, permite a un actor eludir la autenticación multifactor/de dos factores. El actor debe tener acceso de nivel de administrador a Serv-U para realizar esta acción.  • https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-Hotfix-1?language=en_US • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23841 – SolarWinds Serv-U Exposure of Sensitive Information Vulnerability
https://notcve.org/view.php?id=CVE-2023-23841
15 Jun 2023 — SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request. Part of the URL of the request discloses sensitive data. SolarWinds Serv-U está enviando una solicitud HTTP al cambiar o actualizar los atributos de "File Share" o "File Request?". Parte de la URL de la solicitud revela datos confidenciales. • https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/serv-u_15-4_release_notes.htm • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-38106 – Cross-Site Scripting Vulnerability in Serv-U Web Client
https://notcve.org/view.php?id=CVE-2022-38106
16 Dec 2022 — This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function. • https://cve.mitre.org/cgi-bin/cvename.cgi?name=%20CVE-2022-38106 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35252 – Common Key Vulnerability in Serv-U FTP Server
https://notcve.org/view.php?id=CVE-2021-35252
16 Dec 2022 — Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext. Parece que se utiliza una clave de cifrado común en todas las instancias implementadas del Serv-U FTP Server. Debido a esto, un valor cifrado que está expuesto a un atacante se puede recuperar simplemente en texto plano. • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35252 • CWE-287: Improper Authentication CWE-798: Use of Hard-coded Credentials •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35249 – Domain Admin Broken Access Control
https://notcve.org/view.php?id=CVE-2021-35249
17 May 2022 — This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a data leak to unauthorized users for a domain, with no log of them accessing the data unless they attempt to modify it. This read-only activity is logged to the original domain and does not specify which domain was accessed. Esta vulner... • https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3-1_release_notes.htm • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 92%CPEs: 1EXPL: 1CVE-2021-35250 – Directory Transversal Vulnerability in Serv-U 15.3
https://notcve.org/view.php?id=CVE-2021-35250
25 Apr 2022 — A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1. Un investigador informó de una Vulnerabilidad de Salto de Directorio en Serv-U versión 15.3. Esto puede permitir el acceso a archivos relacionados con la instalación de Serv-U y los archivos del servidor. • https://github.com/rissor41/SolarWinds-CVE-2021-35250 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 5%CPEs: 1EXPL: 0CVE-2021-35247 – SolarWinds Serv-U Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2021-35247
07 Jan 2022 — Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters. To insure proper input validation is completed in all environments. SolarWinds recommends scheduling an update to the latest version of Serv-U. • https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_release_notes.htm • CWE-20: Improper Input Validation •