CVSS: 8.3EPSS: 24%CPEs: 1EXPL: 0CVE-2022-38111 – SolarWinds Platform Deserialization of Untrusted Data Vulnerability
https://notcve.org/view.php?id=CVE-2022-38111
15 Feb 2023 — SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Orion Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the BytesToMessage function. The issue results from the lack of proper validati... • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47506 – SolarWinds Platform Directory Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2022-47506
15 Feb 2023 — SolarWinds Platform was susceptible to the Directory Traversal Vulnerability. This vulnerability allows a local adversary with authenticated account access to edit the default configuration, enabling the execution of arbitrary commands. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor. Authentication may be required to exploit this vulnerability, depending on the product configuration. The specific flaw exists within the... • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47507 – SolarWinds Platform Deserialization of Untrusted Data Vulnerability
https://notcve.org/view.php?id=CVE-2022-47507
15 Feb 2023 — SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor. Authentication is required to exploit this vulnerability. The specific flaw exists within the WorkerProcessWCFProxy function. The issue results from the lac... • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47508 – Disable NTLM: SAM 2022.4
https://notcve.org/view.php?id=CVE-2022-47508
15 Feb 2023 — Customers who had configured their polling to occur via Kerberos did not expect NTLM Traffic on their environment, but since we were querying for data via IP address this prevented us from utilizing Kerberos. • https://documentation.solarwinds.com/en/success_center/sam/content/release_notes/sam_2023-1_release_notes.htm • CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-47012
https://notcve.org/view.php?id=CVE-2022-47012
20 Jan 2023 — Use of uninitialized variable in function gen_eth_recv in GNS3 dynamips 0.2.21. Uso de variable no inicializada en la función gen_eth_recv en GNS3 dynamips 0.2.21. • https://github.com/GNS3/dynamips/issues/125 • CWE-908: Use of Uninitialized Resource •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38110 – Reflected Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2022-38110
20 Jan 2023 — In Database Performance Analyzer (DPA) 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting. • https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2023-1_release_notes.htm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38112 – Sensitive Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-38112
20 Jan 2023 — In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext. En DPA 2022.4 y versiones anteriores, los volcados de memoria del montón generados contienen información sensible en texto no cifrado. • https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2023-1_release_notes.htm • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-47512 – Sensitive Data Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-47512
19 Dec 2022 — Sensitive information was stored in plain text in a file that is accessible by a user with a local account in Hybrid Cloud Observability (HCO)/ SolarWinds Platform 2022.4. No other versions are affected • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-4-1_release_notes.htm • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35252 – Common Key Vulnerability in Serv-U FTP Server
https://notcve.org/view.php?id=CVE-2021-35252
16 Dec 2022 — Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext. Parece que se utiliza una clave de cifrado común en todas las instancias implementadas del Serv-U FTP Server. Debido a esto, un valor cifrado que está expuesto a un atacante se puede recuperar simplemente en texto plano. • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35252 • CWE-287: Improper Authentication CWE-798: Use of Hard-coded Credentials •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-38106 – Cross-Site Scripting Vulnerability in Serv-U Web Client
https://notcve.org/view.php?id=CVE-2022-38106
16 Dec 2022 — This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function. • https://cve.mitre.org/cgi-bin/cvename.cgi?name=%20CVE-2022-38106 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •