CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 0CVE-2021-35251 – Sensitive Data Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-35251
09 Mar 2022 — Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details about the Web Help Desk installation. Podría mostrarse información confidencial cuando es publicado un mensaje de error técnico detallado. Esta información podría revelar detalles del entorno de la instalación del servicio de asistencia web • https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-7-8_release_notes.htm • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35243 – HTTP PUT & DELETE Methods Enabled
https://notcve.org/view.php?id=CVE-2021-35243
23 Dec 2021 — The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method requests that the origin server removes the association between the target resource and its current functionality. Improper use of these methods may lead to a loss of integrity. Los métodos HTTP PUT y DELETE fueron habilitados en el... • https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US • CWE-749: Exposed Dangerous Method or Function •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32076 – Access Restriction bypass vulnerability via referrer spoof - Business Logic Bypass
https://notcve.org/view.php?id=CVE-2021-32076
26 Aug 2021 — Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the 'Web Help Desk Getting Started Wizard', especially the admin account creation page, from a non-privileged IP address network range or loopback address by intercepting the HTTP request and changing the referrer from the public IP address to the loopback. En SolarWinds Web Help Desk versión 12.7.2, se ha detectado una Omisión de Restricciones de Acceso por medio de una suplantación de ref... • https://exchange.xforce.ibmcloud.com/vulnerabilities/208278 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 5.4EPSS: 2%CPEs: 1EXPL: 1CVE-2019-16961
https://notcve.org/view.php?id=CVE-2019-16961
15 Jan 2021 — SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name. SolarWinds Web Help Desk versión 12.7.0, permite un ataque de tipo XSS por medio de un Schedule Name • https://support.solarwinds.com/SuccessCenter/s • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 1%CPEs: 1EXPL: 1CVE-2019-16954
https://notcve.org/view.php?id=CVE-2019-16954
06 Jan 2021 — SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in a Help Request ticket. SolarWinds Web Help Desk versión 12.7.0, permite una inyección de HTML por medio de un Comentario en un ticket de Petición de Ayuda • https://support.solarwinds.com/SuccessCenter/s • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 1%CPEs: 1EXPL: 1CVE-2019-16960
https://notcve.org/view.php?id=CVE-2019-16960
04 Jan 2021 — SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file with a crafted Location Name field. SolarWinds Web Help Desk versión 12.7.0, permite un ataque de tipo XSS por medio de un archivo de plantilla CSV con un campo Location Name diseñado. • https://support.solarwinds.com/SuccessCenter/s • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 1%CPEs: 1EXPL: 1CVE-2019-16956
https://notcve.org/view.php?id=CVE-2019-16956
04 Jan 2021 — SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parameter of a ticket. SolarWinds Web Help Desk versión 12.7.0, permite un ataque de tipo XSS por medio del parámetro Request Type de un ticket. • https://support.solarwinds.com/SuccessCenter/s • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •