Stored XSS via Help Server settings
CVE-2021-35240

6.5MEDIUM

Key Information:

Vendor: Solarwinds
Status: Orion Platform
Vendor: CVE Published:; 31 August 2021

Summary

A security researcher stored XSS via a Help Server setting. This affects customers using Internet Explorer, because they do not support 'rel=noopener'.

Affected Version(s)

Orion Platform Windows 2020.2.6 and previous versions < 2020.2.6 HF1

References

https://documentation.solarwinds.com/en/success_center/or...

x_refsource_MISC

https://support.solarwinds.com/SuccessCenter/s/article/Or...

x_refsource_MISC

https://www.solarwinds.com/trust-center/security-advisori...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 31, 2021
Vulnerability Reserved
Jun 22, 2021

Credit

SolarWinds would like to thank Kajetan Rostojek for reporting on the issue in a responsible manner.