CVSS: 10.0EPSS: 54%CPEs: 1EXPL: 0CVE-2021-31474 – SolarWinds Network Performance Monitor FromJson Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-31474
This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SolarWinds.Serialization library. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://documentation.solarwinds.com/en/success_center/sam/content/release_notes/sam_2020-2-5_release_notes.htm https://www.zerodayinitiative.com/advisories/ZDI-21-602 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2021-31475 – SolarWinds Orion Job Scheduler JobRouterService Improper Authorization Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-31475
This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Orion Job Scheduler 2020.2.1 HF 2. Authentication is required to exploit this vulnerability. The specific flaw exists within the JobRouterService WCF service. The issue is due to the WCF service configuration, which allows a critical resource to be accessed by unprivileged users. An attacker can leverage this vulnerability to execute code in the context of an administrator. • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-5_release_notes.htm https://www.zerodayinitiative.com/advisories/ZDI-21-605 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2021-32604
https://notcve.org/view.php?id=CVE-2021-32604
Share/IncomingWizard.htm in SolarWinds Serv-U before 15.2.3 mishandles the user-supplied SenderEmail parameter, aka "Share URL XSS." Share/IncomingWizard.htm en SolarWinds Serv-U antes de la versión 15.2.3 maneja mal el parámetro SenderEmail suministrado por el usuario, también conocido como "Share URL XSS" • https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-2-3_release_notes.htm https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/solarwinds-serv-u-1523-share-url-xss-cve-2021-32604 https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29000 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-22428
https://notcve.org/view.php?id=CVE-2020-22428
SolarWinds Serv-U before 15.1.6 Hotfix 3 is affected by Cross Site Scripting (XSS) via a directory name (entered by an admin) containing a JavaScript payload. SolarWinds Serv-U versiones anteriores a 15.1.6 Hotfix 3, está afectado por Cross Site Scripting (XSS) por medio de un nombre de directorio (ingresado por un administrador) que contiene una carga útil de JavaScript • https://github.com/matrix https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-1-6-Hotfix-3?language=en_US https://twitter.com/gm4tr1x https://www.linkedin.com/in/gabrielegristina • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25179
https://notcve.org/view.php?id=CVE-2021-25179
SolarWinds Serv-U before 15.2 is affected by Cross Site Scripting (XSS) via the HTTP Host header. SolarWinds Serv-U versiones anteriores a 15.2, está afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS) por medio del encabezado HTTP Host • https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-2_release_notes.htm https://github.com/matrix https://twitter.com/gm4tr1x https://www.linkedin.com/in/gabrielegristina • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •