Page 32 of 256 results (0.019 seconds)

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0

SolarWinds Database Performance Analyzer (DPA) 11.1.468 and 12.0.3074 have several persistent XSS vulnerabilities, related to logViewer.iwc, centralManage.cen, userAdministration.iwc, database.iwc, alertManagement.iwc, eventAnnotations.iwc, and central.cen. SolarWinds Database Performance Analyzer (DPA) versiones 11.1.468 y 12.0.3074, presentan varias vulnerabilidades de tipo XSS persistente, relacionadas con los archivos logViewer.iwc, centralManage.cen, userAdministration.iwc, database.iwc, alertManagement.iwc, eventAnnotations.iwc y central.cen • https://gist.github.com/james-otten/d3ee2f0fccc3b87aafe1616a6c2c2d4e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

Cross-site Scripting (XSS) vulnerability in SolarWinds Web Help Desk 12.7.0 allows attacker to inject arbitrary web script or HTML via Location Name. Un vulnerabilidad de tipo Cross-site Scripting (XSS) en SolarWinds Web Help Desk versión 12.7.0, permite al atacante inyectar script web o HTML arbitrario por medio del Location Name • https://www.esecforte.com/cross-site-scripting-vulnerability-with-solarwinds-web-help-desk https://www.solarwinds.com/free-tools/free-help-desk-software • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. The N-Central JSESSIONID cookie attribute is not checked against multiple sources such as sourceip, MFA claim, etc. as long as the victim stays logged in within N-Central. To take advantage of this, cookie could be stolen and the JSESSIONID can be captured. On its own this is not a surprising result; low security tools allow the cookie to roam from machine to machine. The JSESSION cookie can then be used on the attackers’ workstation by browsing to the victim’s NCentral server URL and replacing the JSESSIONID attribute value by the captured value. • https://limenetworks.nl/wp-content/uploads/CVE-934261-v-1.2.pdf https://www.solarwindsmsp.com/products/n-central • CWE-384: Session Fixation •

CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0

SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be forwarded to the attacker. SolarWinds N-Central versiones hasta 12.3 GA y anteriores, no establece el atributo JSESSIONID en HTTPOnly. • https://limenetworks.nl/wp-content/uploads/CVE-934261-v-1.2.pdf https://www.solarwindsmsp.com/products/n-central • CWE-732: Incorrect Permission Assignment for Critical Resource •

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0

Stored XSS (Cross-Site Scripting) exists in the SolarWinds Orion Platform before before 2020.2.1 on multiple forms and pages. This vulnerability may lead to the Information Disclosure and Escalation of Privileges (takeover of administrator account). Una vulnerabilidad de tipo XSS (Cross-Site Scripting) almacenado se presenta en SolarWinds Orion Platform versiones anteriores a 2020.2.1, en varios formularios y páginas. Esta vulnerabilidad puede conllevar a una divulgación de información y a una escalada de privilegios (toma de control de la cuenta de administrador) • https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Release_Notes/Orion_Platform_2020-2-1_release_notes.htm#NewFeaturesOrion https://support.solarwinds.com/SuccessCenter/s • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •