CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2022-36960 – SolarWinds Platform Improper Input Validation
https://notcve.org/view.php?id=CVE-2022-36960
SolarWinds Platform was susceptible to Improper Input Validation. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to escalate user privileges. La plataforma SolarWinds fue susceptible a una validación de entrada incorrecta. Esta vulnerabilidad permite que un adversario remoto con acceso válido a SolarWinds Web Console escale los privilegios del usuario. This vulnerability allows remote attackers to escalate privileges on affected installations of SolarWinds Network Performance Monitor. • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-4_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-36960 • CWE-20: Improper Input Validation CWE-287: Improper Authentication •
CVSS: 7.2EPSS: 3%CPEs: 9EXPL: 0CVE-2022-38108 – SolarWinds Platform Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2022-38108
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. SolarWinds Platform era susceptible a la Deserialización de Datos No Confiables. Esta vulnerabilidad permite a un adversario remoto con acceso a la cuenta de nivel de administrador de Orion a la consola web de SolarWinds ejecutar comandos arbitrarios This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor. Authentication is required to exploit this vulnerability. The specific flaw exists within the MessageToBytes function. • http://packetstormsecurity.com/files/171567/SolarWinds-Information-Service-SWIS-Remote-Command-Execution.html https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38108 https://www.zerodayinitiative.com/advisories/ZDI-CAN-17531 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2022-36958 – SolarWinds Platform Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2022-36958
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands. SolarWinds Platform era susceptible a una Deserialización de Datos No Confiables. Esta vulnerabilidad permite a un adversario remoto con acceso válido a la consola web de SolarWinds ejecutar comandos arbitrarios This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor. Authentication is required to exploit this vulnerability. The specific flaw exists within the DeserializeFromStrippedXml function. • https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-36958 https://www.zerodayinitiative.com/advisories/ZDI-CAN-17567 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2022-36957 – SolarWinds Platform Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2022-36957
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. SolarWinds Platform era susceptible de una Deserialización de Datos No Confiables. Esta vulnerabilidad permite a un adversario remoto con acceso a la cuenta de nivel de administrador de Orion a la Consola Web de SolarWinds ejecutar comandos arbitrarios This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor. Authentication is required to exploit this vulnerability. The specific flaw exists within the PropertyBagJsonConverter. • https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-36957 https://www.zerodayinitiative.com/advisories/ZDI-CAN-17530 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.4EPSS: 0%CPEs: 9EXPL: 0CVE-2022-36966 – Insecure Direct Object Reference Vulnerability: Orion Platform 2020.2.6
https://notcve.org/view.php?id=CVE-2022-36966
Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous. Los usuarios con derechos de administración de nodos podían ver y editar todos los nodos debido a un control insuficiente del parámetro URL que causaba una vulnerabilidad de referencia directa a objetos insegura (IDOR) en SolarWinds Platform 2022.3 y anteriores • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-4_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-36966 • CWE-639: Authorization Bypass Through User-Controlled Key •