CVSS: 6.4EPSS: 1%CPEs: 2EXPL: 0CVE-2021-35225 – Netpath Horizontal Privilege Escalation Vulnerability: NPM 2020.2.5
https://notcve.org/view.php?id=CVE-2021-35225
21 Oct 2021 — Each authenticated Orion Platform user in a MSP (Managed Service Provider) environment can view and browse all NetPath Services from all that MSP's customers. This can lead to any user having a limited insight into other customer's infrastructure and potential data cross-contamination. Cada usuario autenticado de Orion Platform en un entorno MSP (Managed Service Provider) puede visualizar y navegar todos los servicios NetPath de todos los clientes de ese MSP. Esto puede conllevar a que cualquier usuario ten... • https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm •
CVSS: 9.0EPSS: 65%CPEs: 2EXPL: 0CVE-2020-27869 – SolarWinds Network Performance Monitor WriteToFile SQL Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2020-27869
11 Feb 2021 — This vulnerability allows remote attackers to escalate privileges on affected installations of SolarWinds Network Performance Monitor 2020 HF1, NPM: 2020.2. Authentication is required to exploit this vulnerability. The specific flaw exists within the WriteToFile method. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges and reset the password for the Admin user. • https://www.zerodayinitiative.com/advisories/ZDI-21-064 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •