Resource.aspx Reflected Cross-Site Scripting Vulnerability
CVE-2021-35222

8HIGH

Key Information:

Vendor: Solarwinds
Status: Orion Platform
Vendor: CVE Published:; 31 August 2021

Summary

This vulnerability allows attackers to impersonate users and perform arbitrary actions leading to a Remote Code Execution (RCE) from the Alerts Settings page.

Affected Version(s)

Orion Platform Windows 2020.2.6 and previous versions < 2020.2.6 HF1

References

https://documentation.solarwinds.com/en/success_center/or...

x_refsource_MISC

https://support.solarwinds.com/SuccessCenter/s/article/Or...

x_refsource_MISC

https://www.solarwinds.com/trust-center/security-advisori...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 31, 2021
Vulnerability Reserved
Jun 22, 2021

Credit

SolarWinds would like to thank Alex Birnberg of Zymo Security and FireEye for reporting on the issue in a responsible manner.