Description
This vulnerability allows attackers to impersonate users and perform arbitrary actions leading to a Remote Code Execution (RCE) from the Alerts Settings page.
CVSS breakdown
CVSS 3.1
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low
Affected products
- SolarWinds / Orion Platform2020.2.6 and previous versions – 2020.2.6 HF1
References
- MISChttps://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm
- MISChttps://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-1?language=en_US
- VENDOR_ADVISORYhttps://www.solarwinds.com/trust-center/security-advisories/cve-2021-35222
- MISChttps://support.solarwinds.com/SuccessCenter/s/article/Mitigate-the-Resource-aspx-Reflected-Cross-Site-Scripting-Vulnerability-CVE-2021-35222?language=en_US