Lucene search

SolarWindsCVELIST:CVE-2021-35220

HistoryAug 31, 2021 - 11:03 a.m.

CVE-2021-35220 EmailWebPage Command Injection RCE

2021-08-3111:03:45

SolarWinds

www.cve.org

cve-2021-35220

emailwebpage

command injection

remote code execution

alerts settings page

CVSS3

8.1

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

AI Score

9.4

Confidence

High

EPSS

0.004

Percentile

72.8%

JSON

Command Injection vulnerability in EmailWebPage API which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.

CNA Affected

[
  {
    "platforms": [
      "Windows"
    ],
    "product": "Orion Platform",
    "vendor": "SolarWinds",
    "versions": [
      {
        "lessThanOrEqual": "2020.2.6 HF1 ",
        "status": "affected",
        "version": "2020.2.6 and previous versions ",
        "versionType": "custom"
      }
    ]
  }
]

References

documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-6_release_notes.htm

support.solarwinds.com/SuccessCenter/s/article/Mitigate-the-EmailWebPage-Command-Injection-RCE-CVE-2021-35220?language=en_US

support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-1?language=en_US

www.solarwinds.com/trust-center/security-advisories/cve-2021-35220

CVSS3

8.1

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

AI Score

9.4

Confidence

High

EPSS

0.004

Percentile

72.8%

JSON

Related for CVELIST:CVE-2021-35220