SolarWinds SolarWinds IT Management Software and Remote Monitoring Tools

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any SolarWinds product.

Products by SolarWinds Sorted by Most Security Vulnerabilities since 2018

SolarWinds Orion Platform44 vulnerabilities

SolarWinds Serv U28 vulnerabilities

Solarwinds Platform20 vulnerabilities

SolarWinds Webhelpdesk6 vulnerabilities

SolarWinds Web Help Desk5 vulnerabilities

SolarWinds Sql Sentry1 vulnerability

SolarWinds Dynamips1 vulnerability

Known Exploited SolarWinds Vulnerabilities

The following SolarWinds vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
SolarWinds Web Help Desk Hardcoded Credential Vulnerability SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data. CVE-2024-28987 October 15, 2024
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could allow for remote code execution. CVE-2024-28986 August 15, 2024
SolarWinds Serv-U Path Traversal Vulnerability SolarWinds Serv-U contains a path traversal vulnerability that allows an attacker access to read sensitive files on the host machine. CVE-2024-28995 July 17, 2024
SolarWinds Serv-U Improper Input Validation Vulnerability SolarWinds Serv-U versions 15.2.5 and earlier contain an improper input validation vulnerability which allows attackers to build and send queries without sanitization. CVE-2021-35247 January 21, 2022
SolarWinds Orion API Authentication Bypass Vulnerability The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected. CVE-2020-10148 November 3, 2021
SolarWinds Serv-U Remote Memory Escape Vulnerability Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. CVE-2021-35211 November 3, 2021
SolarWinds Virtualization Manager Privilege Escalation Vulnerability SolarWinds Virtualization Manager 6.3.1 and earlier allow local users to gain privileges by leveraging a misconfiguration of sudo, as demonstrated by "sudo cat /etc/passwd." CVE-2016-3643 November 3, 2021

By the Year

In 2024 there have been 33 vulnerabilities in SolarWinds with an average score of 8.7 out of ten. Last year SolarWinds had 45 security vulnerabilities published. Right now, SolarWinds is on track to have less security vulnerabilities in 2024 than it did last year. However, the average CVE base score of the vulnerabilities in 2024 is greater by 1.34.

Year Vulnerabilities Average Score
2024 33 8.74
2023 45 7.40
2022 24 6.58
2021 50 6.99
2020 29 7.08
2019 14 7.51
2018 5 8.10

It may take a day or so for new SolarWinds vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent SolarWinds Security Vulnerabilities

SolarWinds Platform: Authenticated Stored XSS in Search and Node Information UI

CVE-2024-45717 7 - High - December 04, 2024

The SolarWinds Platform was susceptible to a XSS vulnerability that affects the search and node information section of the user interface. This vulnerability requires authentication and requires user interaction.

XSS

Application is vulnerable to Cross Site Scripting (XSS) an authenticated attacker with users permissions

CVE-2024-45714 4.1 - Medium - October 16, 2024

Application is vulnerable to Cross Site Scripting (XSS) an authenticated attacker with users permissions can modify a variable with a payload.

XSS

The SolarWinds Platform was susceptible to a Cross-Site Scripting vulnerability when performing an edit function to existing elements.

CVE-2024-45715 6.1 - Medium - October 16, 2024

The SolarWinds Platform was susceptible to a Cross-Site Scripting vulnerability when performing an edit function to existing elements.

XSS

SolarWinds Platform is susceptible to an Uncontrolled Search Path Element Local Privilege Escalation vulnerability

CVE-2024-45710 7.8 - High - October 16, 2024

SolarWinds Platform is susceptible to an Uncontrolled Search Path Element Local Privilege Escalation vulnerability. This requires a low privilege account and local access to the affected node machine.

DLL preloading

SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user

CVE-2024-45711 8.8 - High - October 16, 2024

SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. This issue requires a user to be authenticated and this is present when software environment variables are abused. Authentication is required for this vulnerability

Directory traversal

SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability

CVE-2024-28990 9.8 - Critical - September 12, 2024

SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.

Use of Hard-coded Credentials

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability

CVE-2024-28991 8.8 - High - September 12, 2024

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution.

Marshaling, Unmarshaling

The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability

CVE-2024-28987 9.1 - Critical - August 21, 2024

The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.

Use of Hard-coded Credentials

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability

CVE-2024-28986 9.8 - Critical - August 13, 2024

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing.   However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.

Marshaling, Unmarshaling

The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability

CVE-2024-23465 9.8 - Critical - July 17, 2024

The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability. This vulnerability allows an unauthenticated user to gain domain admin access within the Active Directory environment.  

authentification

The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability

CVE-2024-23470 9.8 - Critical - July 17, 2024

The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to run commands and executables.

authentification

The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability

CVE-2024-23471 9.8 - Critical - July 17, 2024

The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution.

authentification

The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability.

CVE-2024-23474 9.8 - Critical - July 17, 2024

The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability.

Directory traversal

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability

CVE-2024-23475 9.8 - Critical - July 17, 2024

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.

Directory traversal

It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager

CVE-2024-28074 9.8 - Critical - July 17, 2024

It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability.

Marshaling, Unmarshaling

SolarWinds Access Rights Manager (ARM) is susceptible to a Remote Code Execution vulnerability

CVE-2024-23469 9.8 - Critical - July 17, 2024

SolarWinds Access Rights Manager (ARM) is susceptible to a Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges.

Improper Input Validation

SolarWinds Access Rights Manager (ARM) is susceptible to a Directory Traversal Remote Code Execution vulnerability

CVE-2024-23466 9.8 - Critical - July 17, 2024

SolarWinds Access Rights Manager (ARM) is susceptible to a Directory Traversal Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges.

Directory traversal

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability

CVE-2024-23467 9.8 - Critical - July 17, 2024

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform remote code execution.

Directory traversal

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability

CVE-2024-23468 9.4 - Critical - July 17, 2024

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.

Directory traversal

SolarWinds Access Rights Manager (ARM) is susceptible to Directory Traversal vulnerability

CVE-2024-23472 8.8 - High - July 17, 2024

SolarWinds Access Rights Manager (ARM) is susceptible to Directory Traversal vulnerability. This vulnerability allows an authenticated user to arbitrary read and delete files in ARM.

Directory traversal

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability

CVE-2024-28992 9.4 - Critical - July 17, 2024

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.

Directory traversal

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability

CVE-2024-28993 9.4 - Critical - July 17, 2024

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.

Directory traversal

SolarWinds Serv-U was susceptible to a directory transversal vulnerability

CVE-2024-28995 7.5 - High - June 06, 2024

SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

Directory traversal

The SolarWinds Platform was determined to be affected by a Race Condition Vulnerability affecting the web console.

CVE-2024-28999 8.1 - High - June 04, 2024

The SolarWinds Platform was determined to be affected by a Race Condition Vulnerability affecting the web console.

Race Condition

The SolarWinds Platform was determined to be affected by a stored cross-site scripting vulnerability affecting the web console

CVE-2024-29004 4.8 - Medium - June 04, 2024

The SolarWinds Platform was determined to be affected by a stored cross-site scripting vulnerability affecting the web console. A high-privileged user and user interaction is required to exploit this vulnerability.

XSS

The SolarWinds Platform was determined to be affected by a SWQL Injection Vulnerability

CVE-2024-28996 8.1 - High - June 04, 2024

The SolarWinds Platform was determined to be affected by a SWQL Injection Vulnerability. Attack complexity is high for this vulnerability.  

SQL Injection

The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability

CVE-2023-40057 9 - Critical - February 15, 2024

The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution.

Marshaling, Unmarshaling

The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability

CVE-2024-23476 9.6 - Critical - February 15, 2024

The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution.

Directory traversal

The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability

CVE-2024-23477 9.6 - Critical - February 15, 2024

The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.

Directory traversal

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Remote Code Execution Vulnerability

CVE-2024-23478 8 - High - February 15, 2024

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service, resulting in remote code execution.

Marshaling, Unmarshaling

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability

CVE-2024-23479 9.6 - Critical - February 15, 2024

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.

Directory traversal

SQL Injection Remote Code Execution Vulnerability was found using a create statement in the SolarWinds Platform

CVE-2023-35188 8.8 - High - February 06, 2024

SQL Injection Remote Code Execution Vulnerability was found using a create statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited.

SQL Injection

SQL Injection Remote Code Execution Vulnerability was found using an update statement in the SolarWinds Platform

CVE-2023-50395 8.8 - High - February 06, 2024

SQL Injection Remote Code Execution Vulnerability was found using an update statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited

SQL Injection

Sensitive data was added to our public-facing knowledgebase

CVE-2023-40058 6.5 - Medium - December 21, 2023

Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment.

A vulnerability has been identified within Serv-U 15.4

CVE-2023-40053 5 - Medium - December 06, 2023

A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously.

SQL Injection Remote Code Vulnerability was found in the SolarWinds Platform

CVE-2023-40056 8.8 - High - November 28, 2023

SQL Injection Remote Code Vulnerability was found in the SolarWinds Platform. This vulnerability can be exploited with a low privileged account.

SQL Injection

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability

CVE-2023-40054 8.8 - High - November 09, 2023

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33226

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability

CVE-2023-40055 8.8 - High - November 09, 2023

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33227

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability

CVE-2023-33226 8.8 - High - November 01, 2023

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges.

Directory traversal

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability This vulnerability

CVE-2023-33227 8.8 - High - November 01, 2023

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability This vulnerability allows a low level user to perform the actions with SYSTEM privileges.

Directory traversal

The SolarWinds Network Configuration Manager was susceptible to the Exposure of Sensitive Information Vulnerability

CVE-2023-33228 4.9 - Medium - November 01, 2023

The SolarWinds Network Configuration Manager was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to obtain sensitive information.

Missing Encryption of Sensitive Data

 Insecure job execution mechanism vulnerability

CVE-2023-40061 8.8 - High - November 01, 2023

 Insecure job execution mechanism vulnerability. This vulnerability can lead to other attacks as a result.

Improper Input Validation

SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability

CVE-2023-40062 8.8 - High - November 01, 2023

SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges.

Improper Input Validation

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability

CVE-2023-35180 8.8 - High - October 19, 2023

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API.

Marshaling, Unmarshaling

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability

CVE-2023-35187 9.8 - Critical - October 19, 2023

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability allows an unauthenticated user to achieve the Remote Code Execution.

Directory traversal

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability

CVE-2023-35186 8.8 - High - October 19, 2023

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.

Marshaling, Unmarshaling

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability

CVE-2023-35184 9.8 - Critical - October 19, 2023

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution.

Marshaling, Unmarshaling

The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability

CVE-2023-35183 7.8 - High - October 19, 2023

The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation.

Incorrect Default Permissions

The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability

CVE-2023-35181 7.8 - High - October 19, 2023

The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation.

Incorrect Default Permissions

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.

CVE-2023-35185 6.8 - Medium - October 19, 2023

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.

Directory traversal

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability

CVE-2023-35182 9.8 - Critical - October 19, 2023

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server.

Marshaling, Unmarshaling

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability

CVE-2023-23840 7.2 - High - September 13, 2023

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges.

Incorrect Comparison

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability

CVE-2023-23845 7.2 - High - September 13, 2023

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges.

Incorrect Comparison

A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1

CVE-2023-40060 7.2 - High - September 07, 2023

A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 15.4.  SolarWinds found that the issue was not completely fixed in 15.4 Hotfix 1. 

Authorization

A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication

CVE-2023-35179 7.2 - High - August 11, 2023

A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 

Authorization

Access Control Bypass Vulnerability in the SolarWinds Platform

CVE-2023-3622 4.3 - Medium - July 26, 2023

Access Control Bypass Vulnerability in the SolarWinds Platform that allows an underprivileged user to read arbitrary resource

authentification

The SolarWinds Network Configuration Manager was susceptible to the Directory Traversal Vulnerability

CVE-2023-23842 7.2 - High - July 26, 2023

The SolarWinds Network Configuration Manager was susceptible to the Directory Traversal Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands.

Directory traversal

The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability

CVE-2023-33229 3.5 - Low - July 26, 2023

The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject passive HTML.

Code Injection

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability

CVE-2023-33225 7.2 - High - July 26, 2023

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges.

Incorrect Comparison

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability

CVE-2023-23843 7.2 - High - July 26, 2023

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands.

Incorrect Comparison

The SolarWinds Platform was susceptible to the Incorrect Behavior Order Vulnerability

CVE-2023-33224 7.2 - High - July 26, 2023

The SolarWinds Platform was susceptible to the Incorrect Behavior Order Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges.

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability

CVE-2023-23844 7.2 - High - July 26, 2023

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges.

Incorrect Comparison

XSS attack was possible in DPA 2023.2 due to insufficient input validation

CVE-2023-33231 6.1 - Medium - July 18, 2023

XSS attack was possible in DPA 2023.2 due to insufficient input validation

XSS

SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request

CVE-2023-23841 7.5 - High - June 15, 2023

SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request.? Part of the URL of the request discloses sensitive data. 

Cleartext Transmission of Sensitive Information

The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability

CVE-2023-23839 6.5 - Medium - April 25, 2023

The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.

The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability

CVE-2022-47509 6.1 - Medium - April 21, 2023

The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.

XSS

The SolarWinds Platform was susceptible to the Command Injection Vulnerability

CVE-2022-36963 7.2 - High - April 21, 2023

The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.

Code Injection

The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability

CVE-2022-47505 7.8 - High - April 21, 2023

The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.

Improper Privilege Management

SolarWinds Platform version 2022.4.1 was found to be susceptible to the Deserialization of Untrusted Data

CVE-2023-23836 7.2 - High - February 15, 2023

SolarWinds Platform version 2022.4.1 was found to be susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to the SolarWinds Web Console to execute arbitrary commands.

Marshaling, Unmarshaling

Customers who had configured their polling to occur

CVE-2022-47508 7.5 - High - February 15, 2023

Customers who had configured their polling to occur via Kerberos did not expect NTLM Traffic on their environment, but since we were querying for data via IP address this prevented us from utilizing Kerberos.

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data

CVE-2022-47507 7.2 - High - February 15, 2023

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Marshaling, Unmarshaling

SolarWinds Platform was susceptible to the Directory Traversal Vulnerability

CVE-2022-47506 7.8 - High - February 15, 2023

SolarWinds Platform was susceptible to the Directory Traversal Vulnerability. This vulnerability allows a local adversary with authenticated account access to edit the default configuration, enabling the execution of arbitrary commands.

Directory traversal

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data

CVE-2022-47504 7.2 - High - February 15, 2023

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Marshaling, Unmarshaling

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data

CVE-2022-38111 7.2 - High - February 15, 2023

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Marshaling, Unmarshaling

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data

CVE-2022-47503 7.2 - High - February 15, 2023

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Marshaling, Unmarshaling

Use of uninitialized variable in function gen_eth_recv in GNS3 dynamips 0.2.21.

CVE-2022-47012 7.5 - High - January 20, 2023

Use of uninitialized variable in function gen_eth_recv in GNS3 dynamips 0.2.21.

Use of Uninitialized Resource

In Database Performance Analyzer (DPA) 2022.4 and older releases

CVE-2022-38110 5.4 - Medium - January 20, 2023

In Database Performance Analyzer (DPA) 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting.

XSS

In DPA 2022.4 and older releases

CVE-2022-38112 7.5 - High - January 20, 2023

In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext.

Cleartext Storage of Sensitive Information

Sensitive information was stored in plain text in a file

CVE-2022-47512 5.5 - Medium - December 19, 2022

Sensitive information was stored in plain text in a file that is accessible by a user with a local account in Hybrid Cloud Observability (HCO)/ SolarWinds Platform 2022.4. No other versions are affected

Cleartext Storage of Sensitive Information

This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1

CVE-2022-38106 5.4 - Medium - December 16, 2022

This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function.

XSS

Common encryption key appears to be used across all deployed instances of Serv-U FTP Server

CVE-2021-35252 7.5 - High - December 16, 2022

Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext.

authentification

SolarWinds Platform was susceptible to Improper Input Validation

CVE-2022-36960 8.8 - High - November 29, 2022

SolarWinds Platform was susceptible to Improper Input Validation. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to escalate user privileges.

authentification

SolarWinds Platform was susceptible to Command Injection

CVE-2022-36962 7.2 - High - November 29, 2022

SolarWinds Platform was susceptible to Command Injection. This vulnerability allows a remote adversary with complete control over the SolarWinds database to execute arbitrary commands.

Command Injection

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data

CVE-2022-36964 8.8 - High - November 29, 2022

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.

Marshaling, Unmarshaling

The application fails to prevent users from connecting to it over unencrypted connections

CVE-2021-35246 5.3 - Medium - November 23, 2022

The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users.

Cleartext Transmission of Sensitive Information

This vulnerability discloses build and services versions in the server response header.

CVE-2022-38113 5.3 - Medium - November 23, 2022

This vulnerability discloses build and services versions in the server response header.

Information Disclosure

This vulnerability occurs when a web server fails to correctly process the Content-Length of POST requests

CVE-2022-38114 6.1 - Medium - November 23, 2022

This vulnerability occurs when a web server fails to correctly process the Content-Length of POST requests. This can lead to HTTP request smuggling or XSS.

XSS

Insecure method vulnerability in which allowed HTTP methods are disclosed

CVE-2022-38115 5.3 - Medium - November 23, 2022

Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT

Interpretation Conflict

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data

CVE-2022-36957 7.2 - High - October 20, 2022

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Marshaling, Unmarshaling

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data

CVE-2022-38108 7.2 - High - October 20, 2022

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Marshaling, Unmarshaling

Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous.

CVE-2022-36966 5.4 - Medium - October 20, 2022

Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous.

Insecure Direct Object Reference / IDOR

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data

CVE-2022-36958 8.8 - High - October 20, 2022

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.

Marshaling, Unmarshaling

Sensitive information could be displayed when a detailed technical error message is posted

CVE-2022-38107 5.3 - Medium - October 19, 2022

Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details.

Generation of Error Message Containing Sensitive Information

An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS)

CVE-2021-35226 6.5 - Medium - October 10, 2022

An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role.

Inadequate Encryption Strength

Insufficient sanitization of inputs in QoE application input field could lead to stored and Dom based XSS attack

CVE-2022-36965 6.1 - Medium - September 30, 2022

Insufficient sanitization of inputs in QoE application input field could lead to stored and Dom based XSS attack. This issue is fixed and released in SolarWinds Platform (2022.3.0).

XSS

A vulnerable component of Orion Platform was vulnerable to SQL Injection

CVE-2022-36961 8.8 - High - September 30, 2022

A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.

SQL Injection

This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains

CVE-2021-35249 4.3 - Medium - May 17, 2022

This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a data leak to unauthorized users for a domain, with no log of them accessing the data unless they attempt to modify it. This read-only activity is logged to the original domain and does not specify which domain was accessed.

A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3

CVE-2021-35250 7.5 - High - April 25, 2022

A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.

Directory traversal

Cross-site scripting vulnerability is present in Database Performance Monitor 2022.1.7779 and previous versions when using a complex SQL query

CVE-2021-35229 6.1 - Medium - April 21, 2022

Cross-site scripting vulnerability is present in Database Performance Monitor 2022.1.7779 and previous versions when using a complex SQL query

XSS

SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk

CVE-2021-35254 8.8 - High - March 25, 2022

SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk. SolarWinds has removed this input field to prevent the misuse of this input in the future.

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.