CVSS: 7.5EPSS: 13%CPEs: 1EXPL: 1CVE-2020-5734
https://notcve.org/view.php?id=CVE-2020-5734
07 Apr 2020 — Classic buffer overflow in SolarWinds Dameware allows a remote, unauthenticated attacker to cause a denial of service by sending a large 'SigPubkeyLen' during ECDH key exchange. Un desbordamiento de búfer clásico en SolarWinds Dameware permite a un atacante remoto no autenticado causar una denegación de servicio por medio del envío de un "SigPubkeyLen" largo durante de claves ECDH. • https://www.tenable.com/security/research/tra-2020-19 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-12769
https://notcve.org/view.php?id=CVE-2019-12769
18 Mar 2020 — SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 Hotfix 2 is vulnerable to Cross-Site Request Forgery in the file upload functionality via ?Command=Upload with the Dir and File parameters. El cliente SolarWinds Serv-U Managed File Transfer (MFT) Web versiones anteriores a 15.1.6 Hotfix 2, es vulnerable a un ataque de tipo Cross-Site Request Forgery en la funcionalidad de carga de archivos mediante ?Command=Upload con los parámetros Dir y File. • https://medium.com/%40clod81/cve-2019-12769-solarwinds-serv-u-managed-file-transfer-mft-web-client-15-1-6-a2dab98d668d • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.8EPSS: 1%CPEs: 3EXPL: 1CVE-2019-12863
https://notcve.org/view.php?id=CVE-2019-12863
25 Feb 2020 — SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) allows Stored HTML Injection by administrators via the Web Console Settings screen. SolarWinds Orion Platform versión 2018.4 HF3 (NPM versión 12.4, NetPath versión 1.1.4), permite una inyección HTML Almacenada por los administradores por medio de la pantalla Web Console Settings. • https://www.esecforte.com/responsible-vulnerability-disclosure-cve-2019-12863-stored-html-injection-vulnerability-in-solarwinds-orion-platform-2018-4-hf3-npm-12-4-netpath-1-1-4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 2%CPEs: 2EXPL: 1CVE-2019-12954
https://notcve.org/view.php?id=CVE-2019-12954
17 Feb 2020 — SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, NetPath 1.1.3) allows XSS by authenticated users via a crafted onerror attribute of a VIDEO element in an action for an ALERT. SolarWinds Network Performance Monitor (Orion Platform 2018, NPM versión 12.3, NetPath versión 1.1.3), permite un ataque de tipo XSS por parte de usuarios autenticados mediante un atributo onerror diseñado de un elemento de VIDEO en una acción para una ALERTA. • https://www.esecforte.com/cve-2019-12954-solarwinds-network-performance-monitor-orion-platform-2018-npm-12-3-netpath-1-1-3-vulnerable-for-stored-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-7984
https://notcve.org/view.php?id=CVE-2020-7984
26 Jan 2020 — SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any aspects of the agent/appliance configuration. SolarWinds N-central versiones anteriores a 12.1 SP1 HF5 y versiones 12.2 anteriores a SP1 HF2, permite a atacantes remotos recuperar credenciales de administrador de dominio de texto sin cifr... • https://blog.huntresslabs.com/validating-the-solarwinds-n-central-dumpster-diver-vulnerability-5e3a045982e5 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 0CVE-2019-17127
https://notcve.org/view.php?id=CVE-2019-17127
17 Jan 2020 — A Stored Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many application forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS. This can lead to privilege escalation. Se detectó una Stored Client Side Template Injection (CSTI) con Angular en SolarWinds Orion Platform versión 2019.2 HF1 en muchos formularios de aplicación. Un atacante puede inyectar una expresión de Angular y escapar del sandb... • https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2019-4-Hotfix-3?ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1&r=116&ui-knowledge-components-aura-actions.KnowledgeArticleVersionCreateDraftFromOnlineAction.createDraftFromOnlineArticle=1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 0CVE-2019-17125
https://notcve.org/view.php?id=CVE-2019-17125
17 Jan 2020 — A Reflected Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS. Se detectó una Reflected Client Side Template Injection (CSTI) con Angular en la plataforma SolarWinds Orion versión 2019.2 HF1 en muchos formularios. Un atacante puede inyectar una expresión de Angular y escapar del sandbox de Angular para lograr un ataque de tipo XSS almace... • https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2019-4-Hotfix-3?ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1&r=116&ui-knowledge-components-aura-actions.KnowledgeArticleVersionCreateDraftFromOnlineAction.createDraftFromOnlineArticle=1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 1%CPEs: 1EXPL: 2CVE-2019-19829 – Serv-U FTP Server 15.1.7 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-19829
17 Dec 2019 — A cross-site scripting (XSS) vulnerability exists in SolarWinds Serv-U FTP Server 15.1.7 in the email parameter, a different vulnerability than CVE-2018-19934 and CVE-2019-13182. Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) en SolarWinds Serv-U FTP Server versión 15.1.7 en el parámetro email, una vulnerabilidad diferente de CVE-2018-19934 y CVE-2019-13182. Serv-U FTP Server version 15.1.7 suffers from a persistent cross site scripting vulnerability leveraging the Email parameter. • https://packetstorm.news/files/id/155708 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 1CVE-2019-13181 – Serv-U FTP Server 15.1.7 CSV Injection
https://notcve.org/view.php?id=CVE-2019-13181
16 Dec 2019 — A CSV injection vulnerability exists in the web UI of SolarWinds Serv-U FTP Server v15.1.7. Se presenta una vulnerabilidad de inyección CSV en la Interfaz de Usuario web de SolarWinds Serv-U FTP Server versión v15.1.7. Serv-U FTP Server version 15.1.7 suffers from a CSV injection vulnerability. • https://packetstorm.news/files/id/155673 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 5.4EPSS: 2%CPEs: 1EXPL: 1CVE-2019-13182 – Serv-U FTP Server 15.1.7 Persistent Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-13182
16 Dec 2019 — A stored cross-site scripting (XSS) vulnerability exists in the web UI of SolarWinds Serv-U FTP Server 15.1.7. Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) almacenado en la Interfaz de Usuario web de SolarWinds Serv-U FTP versión 15.1.7. Serv-U FTP Server version 15.1.7 suffers from a persistent cross site scripting vulnerability. • https://packetstorm.news/files/id/155672 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •