Solarwinds Network Performance Monitor 10.2.2 and possibly earlier versions contain a cross-site scripting (XSS), and cross-site request forgery (CSRF) vulnerability.
A remote unauthenticated attacker may obtain sensitive information, cause a denial of service condition or execute arbitrary code with the privileges of the application.
Apply an Update
As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Vendor has issued information
__ Sort by: Status Alphabetical
Affected Unknown __ Unaffected
Notified: June 26, 2012 Updated: August 03, 2012
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector
Base | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal | 5.3 | E:POC/RL:OF/RC:C
Environmental | 1.3 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND
Thanks to Offensive Security for reporting these vulnerabilities.
This document was written by Jared Allar.