CVSS: 5.3EPSS: 2%CPEs: 1EXPL: 0CVE-2021-35235 – ASP.NET Debug Feature Enabled
https://notcve.org/view.php?id=CVE-2021-35235
27 Oct 2021 — The ASP.NET debug feature is enabled by default in Kiwi Syslog Server 9.7.2 and previous versions. ASP.NET allows remote debugging of web applications, if configured to do so. Debug mode causes ASP.NET to compile applications with extra information. The information enables a debugger to closely monitor and control the execution of an application. If an attacker could successfully start a remote debugging session, this is likely to disclose sensitive information about the web application and supporting infra... • https://documentation.solarwinds.com/en/success_center/kss/content/release_notes/kss_9-8_release_notes.htm • CWE-11: ASP.NET Misconfiguration: Creating Debug Binary •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 0CVE-2021-35233 – HTTP TRACK & TRACE Methods Enabled
https://notcve.org/view.php?id=CVE-2021-35233
27 Oct 2021 — The HTTP TRACK & TRACE methods were enabled in Kiwi Syslog Server 9.7.1 and earlier. These methods are intended for diagnostic purposes only. If enabled, the web server will respond to requests that use these methods by returning exact HTTP request that was received in the response to the client. This may lead to the disclosure of sensitive information such as internal authentication headers appended by reverse proxies. Los métodos HTTP TRACK & TRACE estaban habilitados en Kiwi Syslog Server versiones 9... • https://documentation.solarwinds.com/en/success_center/kss/content/release_notes/kss_9-8_release_notes.htm • CWE-16: Configuration •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35231 – Unquoted Path (SMB Login) Vulnerability
https://notcve.org/view.php?id=CVE-2021-35231
25 Oct 2021 — As a result of an unquoted service path vulnerability present in the Kiwi Syslog Server Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry. Example vulnerable path: "Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Kiwi Syslog Server\Parameters\Application". Como resultado de una vulnerabilidad de ruta de servicio no citada presente en Kiwi Syslog Server Installation Wizard, un atacante local podr... • https://documentation.solarwinds.com/en/success_center/kss/content/release_notes/kss_9-8_release_notes.htm • CWE-428: Unquoted Search Path or Element •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35230 – Unquoted Path Vulnerability (SMB Login) in Kiwi CatTools
https://notcve.org/view.php?id=CVE-2021-35230
22 Oct 2021 — As a result of an unquoted service path vulnerability present in the Kiwi CatTools Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry. Como resultado de una vulnerabilidad de ruta de servicio no citada presente en el Asistente de Instalación de Kiwi CatTools, un atacante local podría alcanzar privilegios escalados al insertar un ejecutable en la ruta del servicio afectado o en la entrada de desinstalación • https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35230 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35228 – Reflected cross site scripting affecting SolarWinds: DPA 2021.3.7388
https://notcve.org/view.php?id=CVE-2021-35228
21 Oct 2021 — This vulnerability occurred due to missing input sanitization for one of the output fields that is extracted from headers on specific section of page causing a reflective cross site scripting attack. An attacker would need to perform a Man in the Middle attack in order to change header for a remote victim. Esta vulnerabilidad se produjo debido a una falta de saneo de la entrada para uno de los campos de salida que se extrae de los encabezados en la sección específica de la página causando un ataque de tipo ... • https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2021-3-7438_release_notes.htm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35227 – Insecure Web Configuration for RabbitMQ Management Plugin in SolarWinds ARM
https://notcve.org/view.php?id=CVE-2021-35227
21 Oct 2021 — The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available. La interfaz HTTP estaba habilitada para el plugin RabbitMQ en ARM versión 2020.2.6, y la capacidad de configurar HTTPS no estaba disponible • https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2021-4_release_notes.htm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-502: Deserialization of Untrusted Data •
CVSS: 6.4EPSS: 1%CPEs: 2EXPL: 0CVE-2021-35225 – Netpath Horizontal Privilege Escalation Vulnerability: NPM 2020.2.5
https://notcve.org/view.php?id=CVE-2021-35225
21 Oct 2021 — Each authenticated Orion Platform user in a MSP (Managed Service Provider) environment can view and browse all NetPath Services from all that MSP's customers. This can lead to any user having a limited insight into other customer's infrastructure and potential data cross-contamination. Cada usuario autenticado de Orion Platform en un entorno MSP (Managed Service Provider) puede visualizar y navegar todos los servicios NetPath de todos los clientes de ese MSP. Esto puede conllevar a que cualquier usuario ten... • https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35214 – Session Management Vulnerability
https://notcve.org/view.php?id=CVE-2021-35214
12 Oct 2021 — The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session. This issue has been resolved on September 13, 2021. La vulnerabilidad en SolarWinds Pingdom puede describirse como un fallo en la invalidación de la sesión de usuario al cambiar la contraseña o la direcc... • https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214 • CWE-613: Insufficient Session Expiration •
CVSS: 8.9EPSS: 60%CPEs: 1EXPL: 0CVE-2021-35217 – Insecure Deserialization of untrusted data causing Remote code execution vulnerability.
https://notcve.org/view.php?id=CVE-2021-35217
08 Sep 2021 — Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted data. Se ha detectado una vulnerabilidad de ejecución de código remota en una Deserialización de datos no confiables en el módulo de integración de la plataforma Orion de Patch Manager y nos fue reportada por ZDI. Un atacante autenticad... • https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.9EPSS: 19%CPEs: 1EXPL: 0CVE-2021-35218 – Chart Endpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-35218
01 Sep 2021 — Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. An unauthorized attacker who has network access to the Orion Patch Manager Web Console could potentially exploit this and compromise the server Una deserialización de Datos no Confiables en el Endpoint de la Consola Web puede conllevar a una ejecución de código remota. Un atacante no autorizado que tenga acceso a la red de la Consola Web de Orion Patch Manager podría potencialmente explotar esto y comprome... • https://documentation.solarwinds.com/en/success_center/patchman/content/release_notes/patchman_2020-2-6_release_notes.htm • CWE-502: Deserialization of Untrusted Data •