Vulnerabilities (CVE)

Filtered by vendor Solarwinds Subscribe
Total 274 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-15910 1 Solarwinds 1 N-central 2024-11-21 4.3 MEDIUM 4.7 MEDIUM
SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be forwarded to the attacker.
CVE-2020-15909 1 Solarwinds 1 N-central 2024-11-21 6.8 MEDIUM 8.8 HIGH
SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. The N-Central JSESSIONID cookie attribute is not checked against multiple sources such as sourceip, MFA claim, etc. as long as the victim stays logged in within N-Central. To take advantage of this, cookie could be stolen and the JSESSIONID can be captured. On its own this is not a surprising result; low security tools allow the cookie to roam from machine to machine. The JSESSION cookie can then be used on the attackers’ workstation by browsing to the victim’s NCentral server URL and replacing the JSESSIONID attribute value by the captured value. Expected behavior would be to check this against a second source and enforce at least a reauthentication or multi factor request as N-Central is a highly privileged service.
CVE-2020-15576 1 Solarwinds 1 Serv-u 2024-11-21 5.0 MEDIUM 7.5 HIGH
SolarWinds Serv-U File Server before 15.2.1 allows information disclosure via an HTTP response.
CVE-2020-15575 1 Solarwinds 1 Serv-u 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
SolarWinds Serv-U File Server before 15.2.1 allows XSS as demonstrated by Tenable Scan, aka Case Number 00484194.
CVE-2020-15574 1 Solarwinds 1 Serv-u 2024-11-21 5.0 MEDIUM 7.5 HIGH
SolarWinds Serv-U File Server before 15.2.1 mishandles the Same-Site cookie attribute, aka Case Number 00331893.
CVE-2020-15573 1 Solarwinds 1 Serv-u 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
SolarWinds Serv-U File Server before 15.2.1 has a "Cross-script vulnerability," aka Case Numbers 00041778 and 00306421.
CVE-2020-15543 1 Solarwinds 1 Serv-u Ftp Server 2024-11-21 7.5 HIGH 9.8 CRITICAL
SolarWinds Serv-U FTP server before 15.2.1 does not validate an argument path.
CVE-2020-15542 1 Solarwinds 1 Serv-u Ftp Server 2024-11-21 7.5 HIGH 9.8 CRITICAL
SolarWinds Serv-U FTP server before 15.2.1 mishandles the CHMOD command.
CVE-2020-15541 1 Solarwinds 1 Serv-u Ftp Server 2024-11-21 7.5 HIGH 9.8 CRITICAL
SolarWinds Serv-U FTP server before 15.2.1 allows remote command execution.
CVE-2020-14007 1 Solarwinds 2 Orion Network Performance Monitor, Orion Web Performance Monitor 2024-11-21 3.5 LOW 5.4 MEDIUM
Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a name of an alert definition.
CVE-2020-14006 1 Solarwinds 2 Orion Network Performance Monitor, Orion Web Performance Monitor 2024-11-21 3.5 LOW 5.4 MEDIUM
Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows XSS via a Responsible Team.
CVE-2020-14005 1 Solarwinds 2 Orion Network Performance Monitor, Orion Web Performance Monitor 2024-11-21 9.0 HIGH 8.8 HIGH
Solarwinds Orion (with Web Console WPM 2019.4.1, and Orion Platform HF4 or NPM HF2 2019.4) allows remote attackers to execute arbitrary code via a defined event.
CVE-2020-13912 1 Solarwinds 1 Advanced Monitoring Agent 2024-11-21 6.0 MEDIUM 7.3 HIGH
SolarWinds Advanced Monitoring Agent before 10.8.9 allows local users to gain privileges via a Trojan horse .exe file, because everyone can write to a certain .exe file.
CVE-2020-13169 1 Solarwinds 1 Orion Platform 2024-11-21 3.5 LOW 9.0 CRITICAL
Stored XSS (Cross-Site Scripting) exists in the SolarWinds Orion Platform before before 2020.2.1 on multiple forms and pages. This vulnerability may lead to the Information Disclosure and Escalation of Privileges (takeover of administrator account).
CVE-2020-12608 1 Solarwinds 1 Managed Service Provider Patch Management Engine 2024-11-21 9.3 HIGH 7.8 HIGH
An issue was discovered in SolarWinds MSP PME (Patch Management Engine) Cache Service before 1.1.15 in the Advanced Monitoring Agent. There are insecure file permissions for %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\config\. This can lead to code execution by changing the CacheService.xml SISServerURL parameter.
CVE-2020-10148 1 Solarwinds 1 Orion Platform 2024-11-21 7.5 HIGH 9.8 CRITICAL
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.
CVE-2019-9546 1 Solarwinds 1 Orion Platform 2024-11-21 7.5 HIGH 9.8 CRITICAL
SolarWinds Orion Platform before 2018.4 Hotfix 2 allows privilege escalation through the RabbitMQ service.
CVE-2019-9017 1 Solarwinds 1 Dameware Mini Remote Control 2024-11-21 5.0 MEDIUM 7.5 HIGH
DWRCC in SolarWinds DameWare Mini Remote Control 10.0 x64 has a Buffer Overflow associated with the size field for the machine name.
CVE-2019-8917 1 Solarwinds 1 Orion Network Performance Monitor 2024-11-21 10.0 HIGH 9.8 CRITICAL
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may be abused by an attacker to execute commands as the SYSTEM user.
CVE-2019-3980 1 Solarwinds 1 Dameware Mini Remote Control 2024-11-21 10.0 HIGH 9.8 CRITICAL
The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable run under the Local System account.