CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35251 – Sensitive Data Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-35251
Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details about the Web Help Desk installation. Podría mostrarse información confidencial cuando es publicado un mensaje de error técnico detallado. Esta información podría revelar detalles del entorno de la instalación del servicio de asistencia web • https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-7-8_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35251 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35243 – HTTP PUT & DELETE Methods Enabled
https://notcve.org/view.php?id=CVE-2021-35243
The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method requests that the origin server removes the association between the target resource and its current functionality. Improper use of these methods may lead to a loss of integrity. Los métodos HTTP PUT y DELETE fueron habilitados en el servidor web de Web Help Desk (12.7.7 y anteriores), permitiendo a los usuarios ejecutar peticiones HTTP peligrosas. • https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35243 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32076 – Access Restriction bypass vulnerability via referrer spoof - Business Logic Bypass
https://notcve.org/view.php?id=CVE-2021-32076
Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the 'Web Help Desk Getting Started Wizard', especially the admin account creation page, from a non-privileged IP address network range or loopback address by intercepting the HTTP request and changing the referrer from the public IP address to the loopback. En SolarWinds Web Help Desk versión 12.7.2, se ha detectado una Omisión de Restricciones de Acceso por medio de una suplantación de referencias. Un atacante puede acceder a "Web Help Desk Getting Started Wizard", especialmente a la página de creación de la cuenta de administrador, desde un rango de red de direcciones IP sin privilegios o una dirección de loopback al interceptar la petición HTTP y cambiando el referrer de la dirección IP pública al loopback • https://exchange.xforce.ibmcloud.com/vulnerabilities/208278 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-32076 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16961
https://notcve.org/view.php?id=CVE-2019-16961
SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name. SolarWinds Web Help Desk versión 12.7.0, permite un ataque de tipo XSS por medio de un Schedule Name • https://support.solarwinds.com/SuccessCenter/s https://www.esecforte.com/cross-site-scripting-vulnerability-in-solarwinds-web-help-desk-cve-2019-16961-responsible-vulnerability-disclosure https://www.solarwinds.com/free-tools/free-help-desk-software • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16954
https://notcve.org/view.php?id=CVE-2019-16954
SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in a Help Request ticket. SolarWinds Web Help Desk versión 12.7.0, permite una inyección de HTML por medio de un Comentario en un ticket de Petición de Ayuda • https://support.solarwinds.com/SuccessCenter/s https://www.esecforte.com/html-injection-vulnerability-in-solarwinds-web-help-desk https://www.solarwinds.com/free-tools/free-help-desk-software • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •