Version 2020.2.6 and previous versions

CVE-2022-36965

Insufficient sanitization of inputs in QoE application input field could lead to stored and Dom based XSS attack. This issue is fixed and released in SolarWinds Platform (2022.3.0).

MEDIUM CVSS 6.1 Published Sep 30, 2022

CVE-2021-35238

User with Orion Platform Admin Rights could store XSS through URL POST parameter in CreateExternalWebsite website.

MEDIUM CVSS 4.8 Published Sep 01, 2021

CVE-2021-35240

A security researcher stored XSS via a Help Server setting. This affects customers using Internet Explorer, because they do not support 'rel=noopener'.

MEDIUM CVSS 6.5 Published Aug 31, 2021

CVE-2021-35239

A security researcher found a user with Orion map manage rights could store XSS through via text box hyperlink.

HIGH CVSS 7.5 Published Aug 31, 2021

CVE-2021-35222

This vulnerability allows attackers to impersonate users and perform arbitrary actions leading to a Remote Code Execution (RCE) from the Alerts Settings page.

HIGH CVSS 8.0 Published Aug 31, 2021

CVE-2021-35221

Improper Access Control Tampering Vulnerability using ImportAlert function which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.

MEDIUM CVSS 6.3 Published Aug 31, 2021

CVE-2021-35220

Command Injection vulnerability in EmailWebPage API which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.

HIGH CVSS 8.1 Published Aug 31, 2021

CVE-2021-35219

ExportToPdfCmd Arbitrary File Read Information Disclosure Vulnerability using ImportAlert function within the Alerts Settings page.

MEDIUM CVSS 6.0 Published Aug 31, 2021