Filtered by vendor Solarwinds
Subscribe
Total
204 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15909 | 1 Solarwinds | 1 N-central | 2020-10-29 | 6.8 MEDIUM | 8.8 HIGH |
| SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. The N-Central JSESSIONID cookie attribute is not checked against multiple sources such as sourceip, MFA claim, etc. as long as the victim stays logged in within N-Central. To take advantage of this, cookie could be stolen and the JSESSIONID can be captured. On its own this is not a surprising result; low security tools allow the cookie to roam from machine to machine. The JSESSION cookie can then be used on the attackers’ workstation by browsing to the victim’s NCentral server URL and replacing the JSESSIONID attribute value by the captured value. Expected behavior would be to check this against a second source and enforce at least a reauthentication or multi factor request as N-Central is a highly privileged service. | |||||
| CVE-2019-9546 | 1 Solarwinds | 1 Orion Platform | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| SolarWinds Orion Platform before 2018.4 Hotfix 2 allows privilege escalation through the RabbitMQ service. | |||||
| CVE-2019-12863 | 1 Solarwinds | 3 Netpath, Network Performance Monitor, Orion Platform | 2020-08-24 | 3.5 LOW | 4.8 MEDIUM |
| SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) allows Stored HTML Injection by administrators via the Web Console Settings screen. | |||||
| CVE-2019-13181 | 1 Solarwinds | 1 Serv-u Ftp Server | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| A CSV injection vulnerability exists in the web UI of SolarWinds Serv-U FTP Server v15.1.7. | |||||
| CVE-2019-8917 | 1 Solarwinds | 1 Orion Network Performance Monitor | 2020-08-24 | 10.0 HIGH | 9.8 CRITICAL |
| SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may be abused by an attacker to execute commands as the SYSTEM user. | |||||
| CVE-2011-4800 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 9.0 HIGH | N/A |
| Directory traversal vulnerability in Serv-U FTP Server before 11.1.0.5 allows remote authenticated users to read and write arbitrary files, and list and create arbitrary directories, via a "..:/" (dot dot colon forward slash) in the (1) list, (2) put, or (3) get commands. | |||||
| CVE-2009-4815 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 4.0 MEDIUM | N/A |
| Directory traversal vulnerability in Serv-U before 9.2.0.1 allows remote authenticated users to read arbitrary files via unspecified vectors. | |||||
| CVE-2009-3655 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 5.0 MEDIUM | N/A |
| Rhino Software Serv-U 7.0.0.1 through 8.2.0.3 allows remote attackers to cause a denial of service (server crash) via unspecified vectors related to the "SITE SET TRANSFERPROGRESS ON" FTP command. | |||||
| CVE-2009-4006 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 10.0 HIGH | N/A |
| Stack-based buffer overflow in the TEA decoding algorithm in RhinoSoft Serv-U FTP server 7.0.0.1, 9.0.0.5, and other versions before 9.1.0.0 allows remote attackers to execute arbitrary code via a long hexadecimal string. | |||||
| CVE-2009-1031 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 7.8 HIGH | N/A |
| Directory traversal vulnerability in the FTP server in Rhino Software Serv-U File Server 7.0.0.1 through 7.4.0.1 allows remote attackers to create arbitrary directories via a \.. (backslash dot dot) in an MKD request. | |||||
| CVE-2008-4501 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 9.0 HIGH | N/A |
| Directory traversal vulnerability in the FTP server in Serv-U 7.0.0.1 through 7.3, including 7.2.0.1, allows remote authenticated users to overwrite or create arbitrary files via a ..\ (dot dot backslash) in the RNTO command. | |||||
| CVE-2008-4500 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 4.0 MEDIUM | N/A |
| Serv-U 7.0.0.1 through 7.3, including 7.2.0.1, allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted stou command, probably related to MS-DOS device names, as demonstrated using "con:1". | |||||
| CVE-2008-3731 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 4.0 MEDIUM | N/A |
| Unspecified vulnerability in Serv-U File Server 7.0.0.1, and other versions before 7.2.0.1, allows remote authenticated users to cause a denial of service (daemon crash) via an SSH session with SFTP commands for directory creation and logging. | |||||
| CVE-2009-0967 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 4.0 MEDIUM | N/A |
| The FTP server in Serv-U 7.0.0.1 through 7.4.0.1 allows remote authenticated users to cause a denial of service (service hang) via a large number of SMNT commands without an argument. | |||||
| CVE-2005-3467 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 5.0 MEDIUM | N/A |
| Serv-U FTP Server before 6.1.0.4 allows attackers to cause a denial of service (crash) via (1) malformed packets and possibly other unspecified issues with unknown impact and attack vectors including (2) use of "~" in a pathname, and (3) memory consumption of the daemon. NOTE: it is not clear whether items (2) and above are vulnerabilities. | |||||
| CVE-2004-2533 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 5.0 MEDIUM | N/A |
| Serv-U FTP Server 4.1 (possibly 4.0) allows remote attackers to cause a denial of service (application crash) via a SITE CHMOD command with a "\\...\" followed by a short string, causing partial memory corruption, a different vulnerability than CVE-2004-2111. | |||||
| CVE-2001-1463 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 7.5 HIGH | N/A |
| The remote administration client for RhinoSoft Serv-U 3.0 sends the user password in plaintext even when S/KEY One-Time Password (OTP) authentication is enabled, which allows remote attackers to sniff passwords. | |||||
| CVE-2002-2393 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 5.0 MEDIUM | N/A |
| Serv-U FTP server 3.0, 3.1 and 4.0.0.4 does not accept new connections while validating user folder access rights, which allows remote attackers to cause a denial of service (no new connections) via a series of MKD commands. | |||||
| CVE-2004-0330 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 10.0 HIGH | N/A |
| Buffer overflow in Serv-U ftp before 5.0.0.4 allows remote authenticated users to execute arbitrary code via a long time zone argument to the MDTM command. | |||||
| CVE-2004-1675 | 1 Solarwinds | 1 Serv-u File Server | 2020-07-28 | 5.0 MEDIUM | N/A |
| Serv-U FTP server 4.x and 5.x allows remote attackers to cause a denial of service (application crash) via a STORE UNIQUE (STOU) command with an MS-DOS device name argument such as (1) COM1, (2) LPT1, (3) PRN, or (4) AUX. | |||||