CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-40060 – 2FA/MFA Bypass Vulnerability in Serv-U 15.4 and 15.4 Hotfix 1
https://notcve.org/view.php?id=CVE-2023-40060
07 Sep 2023 — A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 15.4. SolarWinds found that the issue was not completely fixed in 15.4 Hotfix 1. Se ha identificado una vulnerabilidad dentro de Serv-U 15.4 y 15.4 Hotfix 1 que, si se explota, permite a un actor eludir la autenticación multifactor/de dos factores. El actor debe tener acc... • https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-0-Hotfix-2?language=en_US • CWE-284: Improper Access Control •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35179 – 2FA/MFA Bypass Vulnerability in Serv-U 15.4
https://notcve.org/view.php?id=CVE-2023-35179
10 Aug 2023 — A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. Se ha identificado una vulnerabilidad dentro de Serv-U 15.4 que, si se explota, permite a un actor eludir la autenticación multifactor/de dos factores. El actor debe tener acceso de nivel de administrador a Serv-U para realizar esta acción.  • https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-4-Hotfix-1?language=en_US • CWE-284: Improper Access Control •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23842 – SolarWinds Network Configuration Manager Directory Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2023-23842
26 Jul 2023 — The SolarWinds Network Configuration Manager was susceptible to the Directory Traversal Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands. SolarWinds Network Configuration Manager era susceptible a la vulnerabilidad de Directory Traversal. Esta vulnerabilidad permite a los usuarios con acceso administrativo a SolarWinds Web Console ejecutar comandos arbitrarios. This vulnerability allows remote attackers to execute arbitrary cod... • https://documentation.solarwinds.com/en/success_center/ncm/content/release_notes/ncm_2023-3_release_notes.htm • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3622 – Access Control Bypass Vulnerability in the SolarWinds Platform
https://notcve.org/view.php?id=CVE-2023-3622
26 Jul 2023 — Access Control Bypass Vulnerability in the SolarWinds Platform that allows an underprivileged user to read arbitrary resource Vulnerabilidad de Access Control Bypass en SolarWinds Platform que permite a un usuario con privilegios leer recursos arbitrarios • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-3_release_notes.htm • CWE-287: Improper Authentication •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33229 – SolarWinds Platform Incorrect Input Neutralization Vulnerability
https://notcve.org/view.php?id=CVE-2023-33229
26 Jul 2023 — The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject passive HTML. SolarWinds Platform era susceptible a la vulnerabilidad de neutralización de entrada incorrecta. Esta vulnerabilidad permite a un adversario remoto con una cuenta válida de SolarWinds Platform anexar parámetros de URL para inyectar HTML pasivo. • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-3_release_notes.htm • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23843 – SolarWinds Platform Incorrect Comparison Vulnerability
https://notcve.org/view.php?id=CVE-2023-23843
26 Jul 2023 — The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Orion Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the UpdateActionsProperties method. The issue results from an incorrect string comparison. • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-3_release_notes.htm • CWE-697: Incorrect Comparison •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33224 – SolarWinds Platform Incorrect Behavior Order Vulnerability
https://notcve.org/view.php?id=CVE-2023-33224
26 Jul 2023 — The SolarWinds Platform was susceptible to the Incorrect Behavior Order Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Orion Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the UpdateActionsProperties method. The issue results from inp... • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-3_release_notes.htm • CWE-696: Incorrect Behavior Order •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33225 – SolarWinds Platform Deserialization of Untrusted Data Vulnerability
https://notcve.org/view.php?id=CVE-2023-33225
26 Jul 2023 — The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges. La plataforma SolarWinds era susceptible a la vulnerabilidad de comparación incorrecta. Esta vulnerabilidad permite a los usuarios con acceso administrativo a SolarWinds Web Console ejecutar comandos arbitrarios con privilegios SYSTEM. This vulnerability allows remote attackers to execute ... • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-3_release_notes.htm • CWE-697: Incorrect Comparison •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23844 – SolarWinds Platform Incomplete List of Disallowed Inputs Vulnerability
https://notcve.org/view.php?id=CVE-2023-23844
26 Jul 2023 — The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Orion Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the BlacklistedFilesChecker class. The issue results from an incomplete lis... • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-3_release_notes.htm • CWE-184: Incomplete List of Disallowed Inputs CWE-697: Incorrect Comparison •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33231 – XSS in SolarWinds Database Performance Analyzer 2023.2
https://notcve.org/view.php?id=CVE-2023-33231
18 Jul 2023 — XSS attack was possible in DPA 2023.2 due to insufficient input validation • https://documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2023-2-100_release_notes.htm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •