CVE-2014-9566

Currently unrated

Key Information:

Vendor: Solarwinds
Status: Orion Netflow Traffic Analyzer; Orion Web Performance Monitor; Orion Network Configuration Manager; Orion User Device Tracker
Vendor: CVE Published:; 10 March 2015

Summary

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager (NCM) before 7.3.2, IP Address Manager (IPAM) before 4.3, User Device Tracker (UDT) before 3.2, VoIP & Network Quality Manager (VNQM) before 4.2, Server & Application Manager (SAM) before 6.2, Web Performance Monitor (WPM) before 2.2, and possibly other Solarwinds products, allow remote authenticated users to execute arbitrary SQL commands via the (1) dir or (2) sort parameter to the (a) GetAccounts or (b) GetAccountGroups endpoint.

References

https://github.com/rapid7/metasploit-framework/pull/4836

x_refsource_MISC

http://www.exploit-db.com/exploits/36262

exploitx_refsource_EXPLOIT-DB

http://osvdb.org/show/osvdb/118746

vdb-entryx_refsource_OSVDB

EPSS Score

94% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Mar 10, 2015
Vulnerability Reserved
Jan 7, 2015