CVSS: 10.0EPSS: 29%CPEs: 1EXPL: 4CVE-2019-3980
https://notcve.org/view.php?id=CVE-2019-3980
08 Oct 2019 — The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable run under the Local System account. El agente Solarwinds Dameware Mini Remote Client versión v12.1.0.89, admite la autenticación con tarjeta inteligente lo que puede permitir a un usuario cargar un ejecutable para ser ej... • https://github.com/warferik/CVE-2019-3980 • CWE-346: Origin Validation Error •
CVSS: 6.1EPSS: 35%CPEs: 1EXPL: 2CVE-2018-19386
https://notcve.org/view.php?id=CVE-2018-19386
14 Aug 2019 — SolarWinds Database Performance Analyzer 11.1.457 contains an instance of Reflected XSS in its idcStateError component, where the page parameter is reflected into the HREF of the 'Try Again' Button on the page, aka a /iwc/idcStateError.iwc?page= URI. SolarWinds Database Performance Analyzer versión 11.1.457, contiene una instancia de vulnerabilidad XSS Reflejado en su componente idcStateError, donde el parámetro page es reflejado en el HREF del Botón "Try Again" sobre la página, también se conoce como un UR... • https://i.imgur.com/Y7t2AD6.png • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-13442
https://notcve.org/view.php?id=CVE-2018-13442
16 Jul 2019 — SolarWinds Network Performance Monitor 12.3 allows SQL Injection via the /api/ActiveAlertsOnThisEntity/GetActiveAlerts TriggeringObjectEntityNames parameter. Network Performance Monitor versión 12.3 de SolarWinds, permite la inyección SQL por medio del parámetro TriggeringObjectEntityNames del archivo /api/ActiveAlertsOnThisEntity/GetActiveAlerts. • https://labs.nettitude.com/blog/cve-2018-13442-solarwinds-npm-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 51%CPEs: 2EXPL: 8CVE-2019-12181 – Serv-U FTP Server < 15.1.7 - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2019-12181
17 Jun 2019 — A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux. Existe una vulnerabilidad de escalado de privilegios en SolarWinds Serv-U en versiones anteriores a la 15.1.7 para Linux. Serv-U FTP Server version 15.1.6 suffers from a local privilege escalation vulnerability. • https://packetstorm.news/files/id/153333 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.4EPSS: 6%CPEs: 1EXPL: 1CVE-2019-3957
https://notcve.org/view.php?id=CVE-2019-3957
07 Jun 2019 — Dameware Remote Mini Control version 12.1.0.34 and prior contains an unauthenticated remote buffer over-read due to the server not properly validating RsaSignatureLen during key negotiation, which could crash the application or leak sensitive information. Dameware Remote Mini Control versión 12.1.0.34 y anteriores, contiene una sobreimpresión de búfer remoto no autenticado debido a que el servidor no está comprobando correctamente RsaSignatureLen durante la negociación de claves, lo que podría bloquear la a... • https://www.tenable.com/security/research/tra-2019-26 • CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19999 – Serv-U FTP Server 15.1.6.25 Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2018-19999
30 May 2019 — The local management interface in SolarWinds Serv-U FTP Server 15.1.6.25 has incorrect access controls that permit local users to bypass authentication in the application and execute code in the context of the Windows SYSTEM account, leading to privilege escalation. To exploit this vulnerability, an attacker must have local access the the host running Serv-U, and a Serv-U administrator have an active management console session. La interfaz de administración local en SolarWinds Serv-U FTP Server versión 15.1... • https://packetstorm.news/files/id/153128 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 15%CPEs: 1EXPL: 4CVE-2019-9017 – SolarWinds DameWare Mini Remote Control 10.0 - Denial of Service
https://notcve.org/view.php?id=CVE-2019-9017
02 May 2019 — DWRCC in SolarWinds DameWare Mini Remote Control 10.0 x64 has a Buffer Overflow associated with the size field for the machine name. DWRCC en SolarWinds DameWare Mini Remote Control 10.0 x64 tiene un desbordamiento de búfer asociado con el campo de tamaño del nombre de la máquina. SolarWinds DameWare Mini Remote Control version 10.0 suffers from a denial of service vulnerability. • https://packetstorm.news/files/id/152721 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 1%CPEs: 3EXPL: 0CVE-2019-9546
https://notcve.org/view.php?id=CVE-2019-9546
01 Mar 2019 — SolarWinds Orion Platform before 2018.4 Hotfix 2 allows privilege escalation through the RabbitMQ service. SolarWinds Orion Platform, en versiones anteriores a la 2018.4 Hotfix 2, permite el escalado de privilegios mediante el servicio RabbitMQ. • https://github.com/active-labs/Advisories/blob/master/2019/ACTIVE-2019-005.md • CWE-427: Uncontrolled Search Path Element •
CVSS: 10.0EPSS: 45%CPEs: 1EXPL: 0CVE-2019-8917
https://notcve.org/view.php?id=CVE-2019-8917
18 Feb 2019 — SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may be abused by an attacker to execute commands as the SYSTEM user. SolarWinds Orion NPM, en versiones anteriores a la 12.4, sufre de una vulnerabilidad de ejecución remota de código "SYSTEM" en el servicio OrionModu... • http://www.securityfocus.com/bid/107061 •
CVSS: 9.0EPSS: 3%CPEs: 1EXPL: 3CVE-2018-15906 – SolarWinds Serv-U FTP 15.1.6 Privilege Escalation
https://notcve.org/view.php?id=CVE-2018-15906
02 Feb 2019 — SolarWinds Serv-U FTP Server 15.1.6 allows remote authenticated users to execute arbitrary code by leveraging the Import feature and modifying a CSV file. SolarWinds Serv-U FTP Server 15.1.6 permite que usuarios remotos autenticados ejecuten código arbitrario aprovechando la característica de importación y modificando un archivo CSV. SolarWinds Serv-U FTP Server version 15.1.6 is vulnerable to privilege escalation from remote authenticated users by leveraging the CSV user import function. This leads to obta... • https://packetstorm.news/files/id/151473 •