Lucene search

SolarWindsCVELIST:CVE-2021-35238

HistorySep 01, 2021 - 11:02 a.m.

CVE-2021-35238 Stored XSS through URL POST parameter in CreateExternalWebsite Vulnerability

2021-09-0111:02:35

CWE-79

SolarWinds

www.cve.org

stored xss

createexternalwebsite

url post parameter

admin rights

CVSS3

4.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

34.4%

JSON

User with Orion Platform Admin Rights could store XSS through URL POST parameter in CreateExternalWebsite website.

CNA Affected

[
  {
    "platforms": [
      "Windows"
    ],
    "product": "Orion Platform",
    "vendor": "SolarWinds",
    "versions": [
      {
        "lessThan": "2020.2.6 HF1 ",
        "status": "affected",
        "version": "2020.2.6 and previous versions ",
        "versionType": "custom"
      }
    ]
  }
]

References

documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm

support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-1?language=en_US

www.solarwinds.com/trust-center/security-advisories/cve-2021-35238

CVSS3

4.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

34.4%

JSON

Related for CVELIST:CVE-2021-35238