CVSS: 9.0EPSS: 6%CPEs: 2EXPL: 0CVE-2020-14005 – SolarWinds Network Performance Monitor ExecuteVBScript Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-14005
Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows remote attackers to execute arbitrary code via a defined event. Solarwinds Orion (con Web Console WPM versión 2019.4.1 y Orion Platform HF4 o NPM HF2 versión 2019.4), permite a atacantes remotos ejecutar código arbitrario por medio de un evento definido This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor. Authentication is required to exploit this vulnerability. The specific flaw exists within the ExecuteVBScript method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://gist.github.com/alert3/c9dcce5474e55f408c93c086c30cdbb7 https://www.zerodayinitiative.com/advisories/ZDI-21-063 https://www.zerodayinitiative.com/advisories/ZDI-21-065 •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2020-14006
https://notcve.org/view.php?id=CVE-2020-14006
Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a Responsible Team. Solarwinds Orion (con Web Console WPM versión 2019.4.1 y Orion Platform HF4 o NPM HF2 versión 2019.4), permite un ataque de tipo XSS por medio de un Equipo Responsable • https://gist.github.com/alert3/f8d33412ab0c671d3cac6a50b132a894 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2020-14007
https://notcve.org/view.php?id=CVE-2020-14007
Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a name of an alert definition. Solarwinds Orion (con Web Console WPM versión 2019.4.1 y Orion Platform HF4 o NPM HF2 versión 2019.4), permite un ataque de tipo XSS por medio del nombre de una definición de alerta • https://gist.github.com/alert3/f8d33412ab0c671d3cac6a50b132a894 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •