Cookie Manipulation Vulnerability in SolarWinds N-Central
CVE-2020-15910

4.7MEDIUM

Key Information:

Vendor: Solarwinds
Status: N-central
Vendor: CVE Published:; 19 October 2020

Summary

The vulnerability in SolarWinds N-Central versions 12.3 GA and lower stems from the JSESSIONID attribute not being set to HTTPOnly. This oversight allows attackers to manipulate the cookie using JavaScript, potentially leading to session hijacking. By directing unsuspecting users to a malicious webpage or exploiting JavaScript, an attacker can extract the JSESSIONID and use it for unauthorized access. Organizations using affected versions of N-Central should take immediate action to protect their systems.

References

https://www.solarwindsmsp.com/products/n-central

x_refsource_MISC

https://limenetworks.nl/wp-content/uploads/CVE-934261-v-1...

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 19, 2020
Vulnerability Reserved
Jul 23, 2020