Search criteria
18 vulnerabilities found for webhelpdesk by solarwinds
FKIE_CVE-2021-35254
Vulnerability from fkie_nvd - Published: 2022-03-25 19:15 - Updated: 2024-11-21 06:12
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk. SolarWinds has removed this input field to prevent the misuse of this input in the future.
References
| URL | Tags | ||
|---|---|---|---|
| psirt@solarwinds.com | https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-8-Hotfix-1-Release-Notes?language=en_US | Mitigation, Release Notes, Vendor Advisory | |
| psirt@solarwinds.com | https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35254 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-8-Hotfix-1-Release-Notes?language=en_US | Mitigation, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35254 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | webhelpdesk | * | |
| solarwinds | webhelpdesk | 12.7.8 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:solarwinds:webhelpdesk:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C15A7817-8886-4A78-A9B5-B11AF100D17D",
"versionEndExcluding": "12.7.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:solarwinds:webhelpdesk:12.7.8:-:*:*:*:*:*:*",
"matchCriteriaId": "B0A267F8-4120-48EF-ABA7-33D05426CAD8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk. SolarWinds has removed this input field to prevent the misuse of this input in the future."
},
{
"lang": "es",
"value": "SolarWinds recibi\u00f3 un informe de una vulnerabilidad relacionada con una entrada que no estaba saneada en WebHelpDesk. SolarWinds ha eliminado este campo de entrada para evitar el uso indebido de esta entrada en el futuro"
}
],
"id": "CVE-2021-35254",
"lastModified": "2024-11-21T06:12:09.747",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.8,
"source": "psirt@solarwinds.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-25T19:15:08.913",
"references": [
{
"source": "psirt@solarwinds.com",
"tags": [
"Mitigation",
"Release Notes",
"Vendor Advisory"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-8-Hotfix-1-Release-Notes?language=en_US"
},
{
"source": "psirt@solarwinds.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35254"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Release Notes",
"Vendor Advisory"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-8-Hotfix-1-Release-Notes?language=en_US"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35254"
}
],
"sourceIdentifier": "psirt@solarwinds.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "psirt@solarwinds.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-35232
Vulnerability from fkie_nvd - Published: 2021-12-27 19:15 - Updated: 2024-11-21 06:12
Severity ?
6.8 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Summary
Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | webhelpdesk | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:solarwinds:webhelpdesk:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53DE7A1A-2EF0-4757-AF6B-70839D4BA698",
"versionEndIncluding": "12.7.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database."
},
{
"lang": "es",
"value": "Se han detectado credenciales embebidas en el producto SolarWinds Web Help Desk. Mediante estas credenciales, el atacante con acceso local a la m\u00e1quina anfitriona de Web Help Desk permite ejecutar consultas HQL arbitrarias contra la base de datos y aprovechar la vulnerabilidad para robar los hashes de las contrase\u00f1as de los usuarios o insertar datos arbitrarios en la base de datos"
}
],
"id": "CVE-2021-35232",
"lastModified": "2024-11-21T06:12:06.813",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 4.2,
"source": "psirt@solarwinds.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 4.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-12-27T19:15:08.290",
"references": [
{
"source": "psirt@solarwinds.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US"
},
{
"source": "psirt@solarwinds.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35232"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35232"
}
],
"sourceIdentifier": "psirt@solarwinds.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "psirt@solarwinds.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-798"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-16959
Vulnerability from fkie_nvd - Published: 2020-12-21 16:15 - Updated: 2024-11-21 04:31
Severity ?
Summary
SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | webhelpdesk | 12.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:solarwinds:webhelpdesk:12.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ABB4202D-AD9A-421E-BA00-74A35DBB34BB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket."
},
{
"lang": "es",
"value": "SolarWinds Web Help Desk versi\u00f3n 12.7.0, permite una inyecci\u00f3n CSV, tambi\u00e9n se conoce como Inyecci\u00f3n de F\u00f3rmula, por medio de un archivo adjunto a un ticket"
}
],
"id": "CVE-2019-16959",
"lastModified": "2024-11-21T04:31:25.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-21T16:15:12.977",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/formula-injection-vulnerability-india-in-solarwinds-web-help-desk/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/formula-injection-vulnerability-india-in-solarwinds-web-help-desk/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1236"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-16957
Vulnerability from fkie_nvd - Published: 2020-12-18 09:15 - Updated: 2024-11-21 04:31
Severity ?
Summary
SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | webhelpdesk | 12.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:solarwinds:webhelpdesk:12.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ABB4202D-AD9A-421E-BA00-74A35DBB34BB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account."
},
{
"lang": "es",
"value": "SolarWinds Web Help Desk versi\u00f3n 12.7.0, permite un ataque de tipo XSS por medio del campo Name de una Cuenta de Usuario"
}
],
"id": "CVE-2019-16957",
"lastModified": "2024-11-21T04:31:25.020",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-18T09:15:12.647",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cross-site-scripting-vulnerability-in-solarwinds-web-help-desk/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cross-site-scripting-vulnerability-in-solarwinds-web-help-desk/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-16955
Vulnerability from fkie_nvd - Published: 2020-12-18 09:15 - Updated: 2024-11-21 04:31
Severity ?
Summary
SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | webhelpdesk | 12.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:solarwinds:webhelpdesk:12.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ABB4202D-AD9A-421E-BA00-74A35DBB34BB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request."
},
{
"lang": "es",
"value": "SolarWinds Web Help Desk versi\u00f3n 12.7.0, permite un ataque de tipo XSS por medio de un documento SVG cargado en una petici\u00f3n"
}
],
"id": "CVE-2019-16955",
"lastModified": "2024-11-21T04:31:24.713",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-18T09:15:12.570",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cross-site-scripting-via-file-upload-vulnerability-in-solarwinds-web-help-desk/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.esecforte.com/cross-site-scripting-via-file-upload-vulnerability-in-solarwinds-web-help-desk/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-20002
Vulnerability from fkie_nvd - Published: 2020-04-27 15:15 - Updated: 2024-11-21 04:37
Severity ?
Summary
Formula Injection exists in the export feature in SolarWinds WebHelpDesk 12.7.1 via a value (provided by a low-privileged user in the Subject field of a help request form) that is mishandled in a TicketActions/view?tab=group TSV export by an admin user.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | webhelpdesk | 12.7.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:solarwinds:webhelpdesk:12.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "828F2B91-097B-4721-A7B7-0CE047DC28D1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Formula Injection exists in the export feature in SolarWinds WebHelpDesk 12.7.1 via a value (provided by a low-privileged user in the Subject field of a help request form) that is mishandled in a TicketActions/view?tab=group TSV export by an admin user."
},
{
"lang": "es",
"value": "Una Injection de Formula existe en la funcionalidad de exportaci\u00f3n en SolarWinds WebHelpDesk versi\u00f3n 12.7.1, mediante un valor (proporcionado por un usuario poco privilegiado en el campo Subject de un formulario de petici\u00f3n de ayuda) que se maneja inapropiadamente en una exportaci\u00f3n TSV de TicketActions/view?tab=group por parte de un usuario administrador."
}
],
"id": "CVE-2019-20002",
"lastModified": "2024-11-21T04:37:51.647",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-04-27T15:15:12.297",
"references": [
{
"source": "cve@mitre.org",
"url": "https://medium.com/%40ayaan.saikia91/formula-injection-vulnerability-on-solarwinds-webhelpdesk-12-7-1-37569cd4cdc1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://medium.com/%40ayaan.saikia91/formula-injection-vulnerability-on-solarwinds-webhelpdesk-12-7-1-37569cd4cdc1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1236"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2021-35254 (GCVE-0-2021-35254)
Vulnerability from cvelistv5 – Published: 2022-03-25 18:02 – Updated: 2024-08-04 00:33
VLAI?
Summary
SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk. SolarWinds has removed this input field to prevent the misuse of this input in the future.
Severity ?
8.2 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | WebHelpDesk |
Affected:
12.7.8 and previous versions , < 12.7.8 HF 1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:33:51.251Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-8-Hotfix-1-Release-Notes?language=en_US"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35254"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WebHelpDesk ",
"vendor": "SolarWinds",
"versions": [
{
"lessThan": "12.7.8 HF 1 ",
"status": "affected",
"version": "12.7.8 and previous versions",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk. SolarWinds has removed this input field to prevent the misuse of this input in the future."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-25T18:02:27",
"orgId": "49f11609-934d-4621-84e6-e02e032104d6",
"shortName": "SolarWinds"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-8-Hotfix-1-Release-Notes?language=en_US"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35254"
}
],
"solutions": [
{
"lang": "en",
"value": "SolarWinds advises to upgrade to the latest version of Web Help Desk (WHD 12.7.8 HF 1)."
}
],
"source": {
"defect": [
"CVE-2021-35254"
],
"discovery": "UNKNOWN"
},
"title": "Authenticated Remote Code Execution in WebHelpDesk 12.7.8 ",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@solarwinds.com",
"ID": "CVE-2021-35254",
"STATE": "PUBLIC",
"TITLE": "Authenticated Remote Code Execution in WebHelpDesk 12.7.8 "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WebHelpDesk ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "12.7.8 and previous versions",
"version_value": "12.7.8 HF 1 "
}
]
}
}
]
},
"vendor_name": "SolarWinds"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk. SolarWinds has removed this input field to prevent the misuse of this input in the future."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-8-Hotfix-1-Release-Notes?language=en_US",
"refsource": "MISC",
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-8-Hotfix-1-Release-Notes?language=en_US"
},
{
"name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35254",
"refsource": "MISC",
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35254"
}
]
},
"solution": [
{
"lang": "en",
"value": "SolarWinds advises to upgrade to the latest version of Web Help Desk (WHD 12.7.8 HF 1)."
}
],
"source": {
"defect": [
"CVE-2021-35254"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6",
"assignerShortName": "SolarWinds",
"cveId": "CVE-2021-35254",
"datePublished": "2022-03-25T18:02:27",
"dateReserved": "2021-06-22T00:00:00",
"dateUpdated": "2024-08-04T00:33:51.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35232 (GCVE-0-2021-35232)
Vulnerability from cvelistv5 – Published: 2021-12-27 18:48 – Updated: 2024-09-17 03:44
VLAI?
Summary
Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database.
Severity ?
6.8 (Medium)
CWE
- CWE-798 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Web Help Desk |
Affected:
12.7.7 and previous versions , < 12.7.7 HF 1
(custom)
|
Credits
Shubham Shah
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:33:51.242Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35232"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Help Desk",
"vendor": "SolarWinds",
"versions": [
{
"lessThan": "12.7.7 HF 1",
"status": "affected",
"version": "12.7.7 and previous versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Shubham Shah"
}
],
"datePublic": "2021-12-21T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eHard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database.\u003c/p\u003e"
}
],
"value": "Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T20:30:17.665Z",
"orgId": "49f11609-934d-4621-84e6-e02e032104d6",
"shortName": "SolarWinds"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35232"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSolarWinds advises the customers to upgrade to the latest Web Help Desk 12.7.7 Hotfix 1 product release once it becomes generally available.\u003c/p\u003e"
}
],
"value": "SolarWinds advises the customers to upgrade to the latest Web Help Desk 12.7.7 Hotfix 1 product release once it becomes generally available."
}
],
"source": {
"defect": [
"CVE-2021-35232"
],
"discovery": "EXTERNAL"
},
"title": "Hard credentials discovered in SolarWinds Web Help Desk which allows to execute Arbitrary Hibernate Queries",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@solarwinds.com",
"DATE_PUBLIC": "2021-12-22T15:45:00.000Z",
"ID": "CVE-2021-35232",
"STATE": "PUBLIC",
"TITLE": "Hard credentials discovered in SolarWinds Web Help Desk which allows to execute Arbitrary Hibernate Queries"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Web Help Desk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "12.7.7 and previous versions",
"version_value": "12.7.7 HF 1"
}
]
}
}
]
},
"vendor_name": "SolarWinds"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Shubham Shah"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35232",
"refsource": "MISC",
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35232"
},
{
"name": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US",
"refsource": "MISC",
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US"
}
]
},
"solution": [
{
"lang": "en",
"value": "SolarWinds advises the customers to upgrade to the latest Web Help Desk 12.7.7 Hotfix 1 product release once it becomes generally available."
}
],
"source": {
"defect": [
"CVE-2021-35232"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6",
"assignerShortName": "SolarWinds",
"cveId": "CVE-2021-35232",
"datePublished": "2021-12-27T18:48:18.158328Z",
"dateReserved": "2021-06-22T00:00:00",
"dateUpdated": "2024-09-17T03:44:02.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16959 (GCVE-0-2019-16959)
Vulnerability from cvelistv5 – Published: 2020-12-21 15:13 – Updated: 2024-08-05 01:24
VLAI?
Summary
SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.746Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.esecforte.com/formula-injection-vulnerability-india-in-solarwinds-web-help-desk/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-21T15:13:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.esecforte.com/formula-injection-vulnerability-india-in-solarwinds-web-help-desk/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16959",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.solarwinds.com/SuccessCenter/s/",
"refsource": "MISC",
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"name": "https://www.solarwinds.com/free-tools/free-help-desk-software",
"refsource": "MISC",
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"name": "https://www.esecforte.com/formula-injection-vulnerability-india-in-solarwinds-web-help-desk/",
"refsource": "MISC",
"url": "https://www.esecforte.com/formula-injection-vulnerability-india-in-solarwinds-web-help-desk/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16959",
"datePublished": "2020-12-21T15:13:21",
"dateReserved": "2019-09-29T00:00:00",
"dateUpdated": "2024-08-05T01:24:48.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16955 (GCVE-0-2019-16955)
Vulnerability from cvelistv5 – Published: 2020-12-18 08:55 – Updated: 2024-08-05 01:24
VLAI?
Summary
SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.esecforte.com/cross-site-scripting-via-file-upload-vulnerability-in-solarwinds-web-help-desk/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-18T08:55:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.esecforte.com/cross-site-scripting-via-file-upload-vulnerability-in-solarwinds-web-help-desk/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16955",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.solarwinds.com/SuccessCenter/s/",
"refsource": "MISC",
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"name": "https://www.solarwinds.com/free-tools/free-help-desk-software",
"refsource": "MISC",
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"name": "https://www.esecforte.com/cross-site-scripting-via-file-upload-vulnerability-in-solarwinds-web-help-desk/",
"refsource": "MISC",
"url": "https://www.esecforte.com/cross-site-scripting-via-file-upload-vulnerability-in-solarwinds-web-help-desk/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16955",
"datePublished": "2020-12-18T08:55:56",
"dateReserved": "2019-09-29T00:00:00",
"dateUpdated": "2024-08-05T01:24:48.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16957 (GCVE-0-2019-16957)
Vulnerability from cvelistv5 – Published: 2020-12-18 08:53 – Updated: 2024-08-05 01:24
VLAI?
Summary
SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.esecforte.com/cross-site-scripting-vulnerability-in-solarwinds-web-help-desk/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-18T08:53:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.esecforte.com/cross-site-scripting-vulnerability-in-solarwinds-web-help-desk/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16957",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.solarwinds.com/SuccessCenter/s/",
"refsource": "MISC",
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"name": "https://www.solarwinds.com/free-tools/free-help-desk-software",
"refsource": "MISC",
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"name": "https://www.esecforte.com/cross-site-scripting-vulnerability-in-solarwinds-web-help-desk/",
"refsource": "MISC",
"url": "https://www.esecforte.com/cross-site-scripting-vulnerability-in-solarwinds-web-help-desk/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16957",
"datePublished": "2020-12-18T08:53:24",
"dateReserved": "2019-09-29T00:00:00",
"dateUpdated": "2024-08-05T01:24:48.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20002 (GCVE-0-2019-20002)
Vulnerability from cvelistv5 – Published: 2020-04-27 14:29 – Updated: 2024-08-05 02:32
VLAI?
Summary
Formula Injection exists in the export feature in SolarWinds WebHelpDesk 12.7.1 via a value (provided by a low-privileged user in the Subject field of a help request form) that is mishandled in a TicketActions/view?tab=group TSV export by an admin user.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:32:10.476Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/%40ayaan.saikia91/formula-injection-vulnerability-on-solarwinds-webhelpdesk-12-7-1-37569cd4cdc1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-04-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Formula Injection exists in the export feature in SolarWinds WebHelpDesk 12.7.1 via a value (provided by a low-privileged user in the Subject field of a help request form) that is mishandled in a TicketActions/view?tab=group TSV export by an admin user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-27T14:29:28",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/%40ayaan.saikia91/formula-injection-vulnerability-on-solarwinds-webhelpdesk-12-7-1-37569cd4cdc1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20002",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Formula Injection exists in the export feature in SolarWinds WebHelpDesk 12.7.1 via a value (provided by a low-privileged user in the Subject field of a help request form) that is mishandled in a TicketActions/view?tab=group TSV export by an admin user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://medium.com/@ayaan.saikia91/formula-injection-vulnerability-on-solarwinds-webhelpdesk-12-7-1-37569cd4cdc1",
"refsource": "MISC",
"url": "https://medium.com/@ayaan.saikia91/formula-injection-vulnerability-on-solarwinds-webhelpdesk-12-7-1-37569cd4cdc1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20002",
"datePublished": "2020-04-27T14:29:28",
"dateReserved": "2019-12-26T00:00:00",
"dateUpdated": "2024-08-05T02:32:10.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35254 (GCVE-0-2021-35254)
Vulnerability from nvd – Published: 2022-03-25 18:02 – Updated: 2024-08-04 00:33
VLAI?
Summary
SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk. SolarWinds has removed this input field to prevent the misuse of this input in the future.
Severity ?
8.2 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | WebHelpDesk |
Affected:
12.7.8 and previous versions , < 12.7.8 HF 1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:33:51.251Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-8-Hotfix-1-Release-Notes?language=en_US"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35254"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WebHelpDesk ",
"vendor": "SolarWinds",
"versions": [
{
"lessThan": "12.7.8 HF 1 ",
"status": "affected",
"version": "12.7.8 and previous versions",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk. SolarWinds has removed this input field to prevent the misuse of this input in the future."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-25T18:02:27",
"orgId": "49f11609-934d-4621-84e6-e02e032104d6",
"shortName": "SolarWinds"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-8-Hotfix-1-Release-Notes?language=en_US"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35254"
}
],
"solutions": [
{
"lang": "en",
"value": "SolarWinds advises to upgrade to the latest version of Web Help Desk (WHD 12.7.8 HF 1)."
}
],
"source": {
"defect": [
"CVE-2021-35254"
],
"discovery": "UNKNOWN"
},
"title": "Authenticated Remote Code Execution in WebHelpDesk 12.7.8 ",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@solarwinds.com",
"ID": "CVE-2021-35254",
"STATE": "PUBLIC",
"TITLE": "Authenticated Remote Code Execution in WebHelpDesk 12.7.8 "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WebHelpDesk ",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "12.7.8 and previous versions",
"version_value": "12.7.8 HF 1 "
}
]
}
}
]
},
"vendor_name": "SolarWinds"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SolarWinds received a report of a vulnerability related to an input that was not sanitized in WebHelpDesk. SolarWinds has removed this input field to prevent the misuse of this input in the future."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-8-Hotfix-1-Release-Notes?language=en_US",
"refsource": "MISC",
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-8-Hotfix-1-Release-Notes?language=en_US"
},
{
"name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35254",
"refsource": "MISC",
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35254"
}
]
},
"solution": [
{
"lang": "en",
"value": "SolarWinds advises to upgrade to the latest version of Web Help Desk (WHD 12.7.8 HF 1)."
}
],
"source": {
"defect": [
"CVE-2021-35254"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6",
"assignerShortName": "SolarWinds",
"cveId": "CVE-2021-35254",
"datePublished": "2022-03-25T18:02:27",
"dateReserved": "2021-06-22T00:00:00",
"dateUpdated": "2024-08-04T00:33:51.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35232 (GCVE-0-2021-35232)
Vulnerability from nvd – Published: 2021-12-27 18:48 – Updated: 2024-09-17 03:44
VLAI?
Summary
Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database.
Severity ?
6.8 (Medium)
CWE
- CWE-798 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Web Help Desk |
Affected:
12.7.7 and previous versions , < 12.7.7 HF 1
(custom)
|
Credits
Shubham Shah
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:33:51.242Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35232"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Help Desk",
"vendor": "SolarWinds",
"versions": [
{
"lessThan": "12.7.7 HF 1",
"status": "affected",
"version": "12.7.7 and previous versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Shubham Shah"
}
],
"datePublic": "2021-12-21T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eHard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database.\u003c/p\u003e"
}
],
"value": "Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-798",
"description": "CWE-798: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T20:30:17.665Z",
"orgId": "49f11609-934d-4621-84e6-e02e032104d6",
"shortName": "SolarWinds"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35232"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSolarWinds advises the customers to upgrade to the latest Web Help Desk 12.7.7 Hotfix 1 product release once it becomes generally available.\u003c/p\u003e"
}
],
"value": "SolarWinds advises the customers to upgrade to the latest Web Help Desk 12.7.7 Hotfix 1 product release once it becomes generally available."
}
],
"source": {
"defect": [
"CVE-2021-35232"
],
"discovery": "EXTERNAL"
},
"title": "Hard credentials discovered in SolarWinds Web Help Desk which allows to execute Arbitrary Hibernate Queries",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@solarwinds.com",
"DATE_PUBLIC": "2021-12-22T15:45:00.000Z",
"ID": "CVE-2021-35232",
"STATE": "PUBLIC",
"TITLE": "Hard credentials discovered in SolarWinds Web Help Desk which allows to execute Arbitrary Hibernate Queries"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Web Help Desk",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "12.7.7 and previous versions",
"version_value": "12.7.7 HF 1"
}
]
}
}
]
},
"vendor_name": "SolarWinds"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Shubham Shah"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35232",
"refsource": "MISC",
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35232"
},
{
"name": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US",
"refsource": "MISC",
"url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US"
}
]
},
"solution": [
{
"lang": "en",
"value": "SolarWinds advises the customers to upgrade to the latest Web Help Desk 12.7.7 Hotfix 1 product release once it becomes generally available."
}
],
"source": {
"defect": [
"CVE-2021-35232"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6",
"assignerShortName": "SolarWinds",
"cveId": "CVE-2021-35232",
"datePublished": "2021-12-27T18:48:18.158328Z",
"dateReserved": "2021-06-22T00:00:00",
"dateUpdated": "2024-09-17T03:44:02.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16959 (GCVE-0-2019-16959)
Vulnerability from nvd – Published: 2020-12-21 15:13 – Updated: 2024-08-05 01:24
VLAI?
Summary
SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.746Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.esecforte.com/formula-injection-vulnerability-india-in-solarwinds-web-help-desk/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-21T15:13:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.esecforte.com/formula-injection-vulnerability-india-in-solarwinds-web-help-desk/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16959",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Formula Injection, via a file attached to a ticket."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.solarwinds.com/SuccessCenter/s/",
"refsource": "MISC",
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"name": "https://www.solarwinds.com/free-tools/free-help-desk-software",
"refsource": "MISC",
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"name": "https://www.esecforte.com/formula-injection-vulnerability-india-in-solarwinds-web-help-desk/",
"refsource": "MISC",
"url": "https://www.esecforte.com/formula-injection-vulnerability-india-in-solarwinds-web-help-desk/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16959",
"datePublished": "2020-12-21T15:13:21",
"dateReserved": "2019-09-29T00:00:00",
"dateUpdated": "2024-08-05T01:24:48.746Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16955 (GCVE-0-2019-16955)
Vulnerability from nvd – Published: 2020-12-18 08:55 – Updated: 2024-08-05 01:24
VLAI?
Summary
SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.esecforte.com/cross-site-scripting-via-file-upload-vulnerability-in-solarwinds-web-help-desk/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-18T08:55:56",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.esecforte.com/cross-site-scripting-via-file-upload-vulnerability-in-solarwinds-web-help-desk/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16955",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.solarwinds.com/SuccessCenter/s/",
"refsource": "MISC",
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"name": "https://www.solarwinds.com/free-tools/free-help-desk-software",
"refsource": "MISC",
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"name": "https://www.esecforte.com/cross-site-scripting-via-file-upload-vulnerability-in-solarwinds-web-help-desk/",
"refsource": "MISC",
"url": "https://www.esecforte.com/cross-site-scripting-via-file-upload-vulnerability-in-solarwinds-web-help-desk/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16955",
"datePublished": "2020-12-18T08:55:56",
"dateReserved": "2019-09-29T00:00:00",
"dateUpdated": "2024-08-05T01:24:48.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16957 (GCVE-0-2019-16957)
Vulnerability from nvd – Published: 2020-12-18 08:53 – Updated: 2024-08-05 01:24
VLAI?
Summary
SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.esecforte.com/cross-site-scripting-vulnerability-in-solarwinds-web-help-desk/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-18T08:53:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.esecforte.com/cross-site-scripting-vulnerability-in-solarwinds-web-help-desk/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16957",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of a User Account."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.solarwinds.com/SuccessCenter/s/",
"refsource": "MISC",
"url": "https://support.solarwinds.com/SuccessCenter/s/"
},
{
"name": "https://www.solarwinds.com/free-tools/free-help-desk-software",
"refsource": "MISC",
"url": "https://www.solarwinds.com/free-tools/free-help-desk-software"
},
{
"name": "https://www.esecforte.com/cross-site-scripting-vulnerability-in-solarwinds-web-help-desk/",
"refsource": "MISC",
"url": "https://www.esecforte.com/cross-site-scripting-vulnerability-in-solarwinds-web-help-desk/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16957",
"datePublished": "2020-12-18T08:53:24",
"dateReserved": "2019-09-29T00:00:00",
"dateUpdated": "2024-08-05T01:24:48.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20002 (GCVE-0-2019-20002)
Vulnerability from nvd – Published: 2020-04-27 14:29 – Updated: 2024-08-05 02:32
VLAI?
Summary
Formula Injection exists in the export feature in SolarWinds WebHelpDesk 12.7.1 via a value (provided by a low-privileged user in the Subject field of a help request form) that is mishandled in a TicketActions/view?tab=group TSV export by an admin user.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:32:10.476Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/%40ayaan.saikia91/formula-injection-vulnerability-on-solarwinds-webhelpdesk-12-7-1-37569cd4cdc1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2020-04-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Formula Injection exists in the export feature in SolarWinds WebHelpDesk 12.7.1 via a value (provided by a low-privileged user in the Subject field of a help request form) that is mishandled in a TicketActions/view?tab=group TSV export by an admin user."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-27T14:29:28",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/%40ayaan.saikia91/formula-injection-vulnerability-on-solarwinds-webhelpdesk-12-7-1-37569cd4cdc1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20002",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Formula Injection exists in the export feature in SolarWinds WebHelpDesk 12.7.1 via a value (provided by a low-privileged user in the Subject field of a help request form) that is mishandled in a TicketActions/view?tab=group TSV export by an admin user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://medium.com/@ayaan.saikia91/formula-injection-vulnerability-on-solarwinds-webhelpdesk-12-7-1-37569cd4cdc1",
"refsource": "MISC",
"url": "https://medium.com/@ayaan.saikia91/formula-injection-vulnerability-on-solarwinds-webhelpdesk-12-7-1-37569cd4cdc1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20002",
"datePublished": "2020-04-27T14:29:28",
"dateReserved": "2019-12-26T00:00:00",
"dateUpdated": "2024-08-05T02:32:10.476Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}