CVE-2021-35250 – Directory Transversal Vulnerability in Serv-U 15.3
https://notcve.org/view.php?id=CVE-2021-35250
A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1. Un investigador informó de una Vulnerabilidad de Salto de Directorio en Serv-U versión 15.3. Esto puede permitir el acceso a archivos relacionados con la instalación de Serv-U y los archivos del servidor. • https://github.com/rissor41/SolarWinds-CVE-2021-35250 https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-3-HotFix-1?language=en_US https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35250 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-35229 – Cross-Site Scripting Vulnerability using SQL Query
https://notcve.org/view.php?id=CVE-2021-35229
Cross-site scripting vulnerability is present in Database Performance Monitor 2022.1.7779 and previous versions when using a complex SQL query Se presenta una vulnerabilidad de tipo Cross-site scripting en Database Performance Monitor versiones 2022.1.7779 y versiones anteriores, cuando es usada una consulta SQL compleja • https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2022-2_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35229 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-35254 – Authenticated Remote Code Execution in WebHelpDesk 12.7.8
https://notcve.org/view.php?id=CVE-2021-35254
SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk. SolarWinds has removed this input field to prevent the misuse of this input in the future. SolarWinds recibió un informe de una vulnerabilidad relacionada con una entrada que no estaba saneada en WebHelpDesk. SolarWinds ha eliminado este campo de entrada para evitar el uso indebido de esta entrada en el futuro • https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-8-Hotfix-1-Release-Notes?language=en_US https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35254 • CWE-20: Improper Input Validation •
CVE-2021-35251 – Sensitive Data Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-35251
Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details about the Web Help Desk installation. Podría mostrarse información confidencial cuando es publicado un mensaje de error técnico detallado. Esta información podría revelar detalles del entorno de la instalación del servicio de asistencia web • https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-7-8_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35251 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2021-35247 – SolarWinds Serv-U Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2021-35247
Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters. To insure proper input validation is completed in all environments. SolarWinds recommends scheduling an update to the latest version of Serv-U. • https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247 • CWE-20: Improper Input Validation •