CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38107 – Sensitive Data Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-38107
Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details. Podría mostrarse información confidencial cuando es publicado un mensaje de error técnico detallado. Esta información podría divulgar detalles del entorno • https://docs.sentryone.com/help/sentryone-platform-release-notes https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38107 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35226 – Hashed Credential Exposure Vulnerability
https://notcve.org/view.php?id=CVE-2021-35226
An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role. Una entidad del producto Network Configuration Manager está configurada inapropiadamente y expone el campo de la contraseña al Servicio de Información de Solarwinds (SWIS). Las credenciales expuestas están cifradas y requieren un acceso autenticado con un rol de NCM • https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35226 • CWE-326: Inadequate Encryption Strength •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36965 – Stored and DOM XSS in QoE Applications: Orion Platform
https://notcve.org/view.php?id=CVE-2022-36965
Insufficient sanitization of inputs in QoE application input field could lead to stored and Dom based XSS attack. This issue is fixed and released in SolarWinds Platform (2022.3.0). Un saneo insuficiente de las entradas en el campo input de la aplicación QoE podría conllevar a un ataque de tipo XSS basado en el almacenamiento y en Dom. Este problema ha sido corregido y liberado en la plataforma SolarWinds (2022.3.0) • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm#:~:text=Release%20date%3A%20May%2024%2C%202022%20These%20release%20notes%2Cissues.%20New%20features%20and%20improvements%20in%20SolarWinds%20Platform https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-36965 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36961 – Orion Platform SQL Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-36961
A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution. Un verbo usado en Orion era vulnerable a una inyección de SQL, un atacante autenticado podría aprovechar esto para la escalada de privilegios o una ejecución de código remota This vulnerability allows remote attackers to escalate privileges on affected installations of SolarWinds Network Performance Monitor. Authentication is required to exploit this vulnerability. The specific flaw exists within the UpdateActionsDescriptions function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35249 – Domain Admin Broken Access Control
https://notcve.org/view.php?id=CVE-2021-35249
This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a data leak to unauthorized users for a domain, with no log of them accessing the data unless they attempt to modify it. This read-only activity is logged to the original domain and does not specify which domain was accessed. Esta vulnerabilidad de control de acceso roto es referida específicamente a un administrador de dominio que puede acceder a los datos de configuración y de usuario de otros dominios a los que no debería tener acceso. • https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3-1_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35249 • CWE-284: Improper Access Control •