CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35251 – Sensitive Data Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2021-35251
Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details about the Web Help Desk installation. Podría mostrarse información confidencial cuando es publicado un mensaje de error técnico detallado. Esta información podría revelar detalles del entorno de la instalación del servicio de asistencia web • https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-7-8_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35251 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35243 – HTTP PUT & DELETE Methods Enabled
https://notcve.org/view.php?id=CVE-2021-35243
The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method requests that the origin server removes the association between the target resource and its current functionality. Improper use of these methods may lead to a loss of integrity. Los métodos HTTP PUT y DELETE fueron habilitados en el servidor web de Web Help Desk (12.7.7 y anteriores), permitiendo a los usuarios ejecutar peticiones HTTP peligrosas. • https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35243 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32076 – Access Restriction bypass vulnerability via referrer spoof - Business Logic Bypass
https://notcve.org/view.php?id=CVE-2021-32076
Access Restriction Bypass via referrer spoof was discovered in SolarWinds Web Help Desk 12.7.2. An attacker can access the 'Web Help Desk Getting Started Wizard', especially the admin account creation page, from a non-privileged IP address network range or loopback address by intercepting the HTTP request and changing the referrer from the public IP address to the loopback. En SolarWinds Web Help Desk versión 12.7.2, se ha detectado una Omisión de Restricciones de Acceso por medio de una suplantación de referencias. Un atacante puede acceder a "Web Help Desk Getting Started Wizard", especialmente a la página de creación de la cuenta de administrador, desde un rango de red de direcciones IP sin privilegios o una dirección de loopback al interceptar la petición HTTP y cambiando el referrer de la dirección IP pública al loopback • https://exchange.xforce.ibmcloud.com/vulnerabilities/208278 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-32076 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 4.3EPSS: 0%CPEs: 108EXPL: 0CVE-2009-0303
https://notcve.org/view.php?id=CVE-2009-0303
Cross-site scripting (XSS) vulnerability in Web Help Desk before 9.1.18 allows remote attackers to inject arbitrary web script or HTML via vectors related to "encoded JavaScript" and Helpdesk.woa. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Web Help Desk anterior a v9.1.18; permite a atacantes remotos inyectar secuencias de comandos Web o HTML mediante vectores relacionados con "JavaScript codificado" y Helpdesk.woa. • http://secunia.com/advisories/33651 http://updates.webhelpdesk.com/weblog/updates/StableReleases/2009/01/23/911812309.html http://www.securityfocus.com/bid/33429 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •