CVSS: 9.8EPSS: 97%CPEs: 3EXPL: 2CVE-2020-10148 – SolarWinds Orion Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2020-10148
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected. La API Orion de SolarWinds es vulnerable a una omisión de autenticación que podría permitir a un atacante remoto ejecutar comandos de la API. Esta vulnerabilidad podría permitir a un atacante remoto omitir la autenticación y ejecutar comandos de la API, lo que puede resultar en un compromiso de la instancia de SolarWinds. • https://github.com/B1anda0/CVE-2020-10148 https://github.com/rdoix/CVE-2020-10148-Solarwinds-Orion https://kb.cert.org/vuls/id/843464 https://www.solarwinds.com/securityadvisory • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16959
https://notcve.org/view.php?id=CVE-2019-16959
SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket. SolarWinds Web Help Desk versión 12.7.0, permite una inyección CSV, también se conoce como Inyección de Fórmula, por medio de un archivo adjunto a un ticket • https://support.solarwinds.com/SuccessCenter/s https://www.esecforte.com/formula-injection-vulnerability-india-in-solarwinds-web-help-desk https://www.solarwinds.com/free-tools/free-help-desk-software • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16955
https://notcve.org/view.php?id=CVE-2019-16955
SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request. SolarWinds Web Help Desk versión 12.7.0, permite un ataque de tipo XSS por medio de un documento SVG cargado en una petición • https://support.solarwinds.com/SuccessCenter/s https://www.esecforte.com/cross-site-scripting-via-file-upload-vulnerability-in-solarwinds-web-help-desk https://www.solarwinds.com/free-tools/free-help-desk-software • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16957
https://notcve.org/view.php?id=CVE-2019-16957
SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account. SolarWinds Web Help Desk versión 12.7.0, permite un ataque de tipo XSS por medio del campo Name de una Cuenta de Usuario • https://support.solarwinds.com/SuccessCenter/s https://www.esecforte.com/cross-site-scripting-vulnerability-in-solarwinds-web-help-desk https://www.solarwinds.com/free-tools/free-help-desk-software • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25622
https://notcve.org/view.php?id=CVE-2020-25622
An issue was discovered in SolarWinds N-Central 12.3.0.670. The AdvancedScripts HTTP endpoint allows CSRF. Se detectó un problema en SolarWinds N-Central versión 12.3.0.670. El endpoint HTTP AdvancedScripts permite un ataque de tipo CSRF • https://ernw.de/en/publications.html https://insinuator.net/2020/12/security-advisories-for-solarwinds-n-central https://support.solarwinds.com/SuccessCenter/s • CWE-352: Cross-Site Request Forgery (CSRF) •