CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2021-35248 – Unrestricted access to Orion.UserSettings SWIS entity for low-privilege users
https://notcve.org/view.php?id=CVE-2021-35248
It has been reported that any Orion user, e.g. guest accounts can query the Orion.UserSettings entity and enumerate users and their basic settings. Se ha informado de que cualquier usuario de Orion, por ejemplo, las cuentas de invitados pueden consultar la entidad Orion.UserSettings y enumerar los usuarios y su configuración básica • https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-3 https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35248 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-35238 – Stored XSS through URL POST parameter in CreateExternalWebsite Vulnerability
https://notcve.org/view.php?id=CVE-2021-35238
User with Orion Platform Admin Rights could store XSS through URL POST parameter in CreateExternalWebsite website. Un usuario con derechos de Administrador de la Plataforma Orion podría almacenar una vulnerabilidad de tipo XSS mediante el parámetro URL POST en el sitio web CreateExternalWebsite • https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-1?language=en_US https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35238 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-35239 – Stored XSS in Maps text box hyperlink Vulnerability
https://notcve.org/view.php?id=CVE-2021-35239
A security researcher found a user with Orion map manage rights could store XSS through via text box hyperlink. Un investigador de seguridad ha detectado que un usuario con derechos de administración de mapas de Orion podía almacenar una vulnerabilidad de tipo XSS mediante un hipervínculo de cuadro de texto • https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm https://support.solarwinds.com/SuccessCenter/s/article/Mitigate-the-Stored-XSS-in-Maps-text-box-hyperlink-vulnerability-CVE-2021-35239?language=en_US https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-1?language=en_US https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35239 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •