Page 3 of 60 results (0.005 seconds)

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters. To insure proper input validation is completed in all environments. SolarWinds recommends scheduling an update to the latest version of Serv-U. • https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247 • CWE-20: Improper Input Validation •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Serv-U server responds with valid CSRFToken when the request contains only Session. El servidor Serv-U responde con un CSRFToken válido cuando la petición contiene sólo Session • https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-2-5_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35242 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 8.4EPSS: 0%CPEs: 4EXPL: 0

When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host machine. Cuando un usuario presenta derechos de administrador en la Consola de Serv-U, el usuario puede mover, crear y eliminar cualquier archivo al que se pueda acceder en la máquina anfitriona de Serv-U • https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-2-5_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35245 • CWE-284: Improper Access Control •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

The Serv-U File Server allows for events such as user login failures to be audited by executing a command. This command can be supplied with parameters that can take the form of user string variables, allowing remote code execution. El Servidor de Archivos Serv-U permite auditar eventos como los fallos de inicio de sesión de los usuarios mediante la ejecución de un comando. Este comando puede ser suministrado con parámetros que pueden tomar la forma de variables de cadena de usuario, permitiendo la ejecución remota de código • https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-2-4_release_notes.htm https://support.solarwinds.com/SuccessCenter/s/article/Execute-Command-Function-Allows-Remote-Code-Execution-RCE-Vulnerability-CVE-2021-35223?language=en_US https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35223 • CWE-20: Improper Input Validation •

CVSS: 10.0EPSS: 95%CPEs: 3EXPL: 3

Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability. Microsoft descubrió una vulnerabilidad de ejecución de código remota (RCE) en el producto SolarWinds Serv-U usando una Vulnerabilidad de Escape de Memoria Remota. Si es explotado, un actor de la amenaza puede ser capaz de obtener acceso privilegiado a la máquina que aloja Serv-U solamente. • https://github.com/BishopFox/CVE-2021-35211 https://github.com/NattiSamson/Serv-U-CVE-2021-35211 https://github.com/0xhaggis/CVE-2021-35211 https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211 • CWE-787: Out-of-bounds Write •