CVSS: 9.0EPSS: 11%CPEs: 1EXPL: 0CVE-2020-25617
https://notcve.org/view.php?id=CVE-2020-25617
16 Dec 2020 — An issue was discovered in SolarWinds N-Central 12.3.0.670. The AdvancedScripts HTTP endpoint allows Relative Path Traversal by an authenticated user of the N-Central Administration Console (NAC), leading to execution of OS commands as root. Se detectó un problema en SolarWinds N-Central versión 12.3.0.670. El endpoint HTTP AdvancedScripts permite un Salto de Ruta Relativo por parte de un usuario autenticado del N-Central Administration Console (NAC), conllevando a una ejecución de los comandos del Sis... • https://ernw.de/en/publications.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 3%CPEs: 2EXPL: 0CVE-2018-16243
https://notcve.org/view.php?id=CVE-2018-16243
15 Dec 2020 — SolarWinds Database Performance Analyzer (DPA) 11.1.468 and 12.0.3074 have several persistent XSS vulnerabilities, related to logViewer.iwc, centralManage.cen, userAdministration.iwc, database.iwc, alertManagement.iwc, eventAnnotations.iwc, and central.cen. SolarWinds Database Performance Analyzer (DPA) versiones 11.1.468 y 12.0.3074, presentan varias vulnerabilidades de tipo XSS persistente, relacionadas con los archivos logViewer.iwc, centralManage.cen, userAdministration.iwc, database.iwc, alertManagemen... • https://gist.github.com/james-otten/d3ee2f0fccc3b87aafe1616a6c2c2d4e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 1%CPEs: 1EXPL: 1CVE-2019-16958
https://notcve.org/view.php?id=CVE-2019-16958
01 Dec 2020 — Cross-site Scripting (XSS) vulnerability in SolarWinds Web Help Desk 12.7.0 allows attacker to inject arbitrary web script or HTML via Location Name. Un vulnerabilidad de tipo Cross-site Scripting (XSS) en SolarWinds Web Help Desk versión 12.7.0, permite al atacante inyectar script web o HTML arbitrario por medio del Location Name • https://www.esecforte.com/cross-site-scripting-vulnerability-with-solarwinds-web-help-desk • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2020-15909
https://notcve.org/view.php?id=CVE-2020-15909
19 Oct 2020 — SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. The N-Central JSESSIONID cookie attribute is not checked against multiple sources such as sourceip, MFA claim, etc. as long as the victim stays logged in within N-Central. To take advantage of this, cookie could be stolen and the JSESSIONID can be captured. On its own this is not a surprising result; low security tools allow the cookie to roam from machine to machine. The JSESSION cookie can then b... • https://limenetworks.nl/wp-content/uploads/CVE-934261-v-1.2.pdf • CWE-384: Session Fixation •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15910
https://notcve.org/view.php?id=CVE-2020-15910
19 Oct 2020 — SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be forwarded to the attacker. SolarWinds N-Central versiones hasta 12.3 GA y anteriores, no establece el atributo JSESSIONID en HTTPOnly. • https://limenetworks.nl/wp-content/uploads/CVE-934261-v-1.2.pdf • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2020-13169
https://notcve.org/view.php?id=CVE-2020-13169
17 Sep 2020 — Stored XSS (Cross-Site Scripting) exists in the SolarWinds Orion Platform before before 2020.2.1 on multiple forms and pages. This vulnerability may lead to the Information Disclosure and Escalation of Privileges (takeover of administrator account). Una vulnerabilidad de tipo XSS (Cross-Site Scripting) almacenado se presenta en SolarWinds Orion Platform versiones anteriores a 2020.2.1, en varios formularios y páginas. Esta vulnerabilidad puede conllevar a una divulgación de información y a una escalada... • https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Release_Notes/Orion_Platform_2020-2-1_release_notes.htm#NewFeaturesOrion • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 0CVE-2020-15573
https://notcve.org/view.php?id=CVE-2020-15573
07 Jul 2020 — SolarWinds Serv-U File Server before 15.2.1 has a "Cross-script vulnerability," aka Case Numbers 00041778 and 00306421. SolarWinds Serv-U File Server versiones anteriores a 15.2.1, presenta una "Cross-script vulnerability", también se conoce como Case Number 00041778 y 00306421 • https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-2-1_release_notes.htm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 0CVE-2020-15574
https://notcve.org/view.php?id=CVE-2020-15574
07 Jul 2020 — SolarWinds Serv-U File Server before 15.2.1 mishandles the Same-Site cookie attribute, aka Case Number 00331893. SolarWinds Serv-U File Server versiones anteriores a 15.2.1, maneja inapropiadamente el atributo de cookie Same-Site, también se conoce como Case Number 00331893 • https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-2-1_release_notes.htm •
CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 0CVE-2020-15575
https://notcve.org/view.php?id=CVE-2020-15575
07 Jul 2020 — SolarWinds Serv-U File Server before 15.2.1 allows XSS as demonstrated by Tenable Scan, aka Case Number 00484194. SolarWinds Serv-U File Server versiones anteriores a 15.2.1, permite un ataque de tipo XSS como es demostrado por Tenable Scan, también se conoce como Case Number 00484194 • https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-2-1_release_notes.htm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 0CVE-2020-15576
https://notcve.org/view.php?id=CVE-2020-15576
07 Jul 2020 — SolarWinds Serv-U File Server before 15.2.1 allows information disclosure via an HTTP response. SolarWinds Serv-U File Server versiones anteriores a 15.2.1, permite una divulgación de información por medio de una respuesta HTTP • https://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-2-1_release_notes.htm •