CVE-2014-9566

2015-03-1014:59:00

CWE-89

[email protected]

web.nvd.nist.gov

cve-2014-9566

sql injection

manage accounts page

accountmanagement.asmx

solarwinds orion platform

npm

nta

ncm

ipam

udt

vnqm

sam

wpm

security vulnerability

7.9 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.963 High

EPSS

Percentile

99.5%

JSON

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager (NCM) before 7.3.2, IP Address Manager (IPAM) before 4.3, User Device Tracker (UDT) before 3.2, VoIP & Network Quality Manager (VNQM) before 4.2, Server & Application Manager (SAM) before 6.2, Web Performance Monitor (WPM) before 2.2, and possibly other Solarwinds products, allow remote authenticated users to execute arbitrary SQL commands via the (1) dir or (2) sort parameter to the (a) GetAccounts or (b) GetAccountGroups endpoint.

CPENameOperatorVersion
solarwinds:orion_netflow_traffic_analyzersolarwinds orion netflow traffic analyzerle4.0
solarwinds:orion_web_performance_monitorsolarwinds orion web performance monitorle2.1
solarwinds:orion_network_configuration_managersolarwinds orion network configuration managerle7.3.1
solarwinds:orion_user_device_trackersolarwinds orion user device trackerle3.1
solarwinds:orion_ip_address_managersolarwinds orion ip address managerle4.2
solarwinds:orion_voip_\&_network_quality_managersolarwinds orion voip \& network quality managerle4.1
solarwinds:orion_server_and_application_managersolarwinds orion server and application managerle6.1
solarwinds:orion_network_performance_monitorsolarwinds orion network performance monitorle11.4

CPE	Name	Operator	Version
solarwinds:orion_netflow_traffic_analyzer	solarwinds orion netflow traffic analyzer	le	4.0
solarwinds:orion_web_performance_monitor	solarwinds orion web performance monitor	le	2.1
solarwinds:orion_network_configuration_manager	solarwinds orion network configuration manager	le	7.3.1
solarwinds:orion_user_device_tracker	solarwinds orion user device tracker	le	3.1
solarwinds:orion_ip_address_manager	solarwinds orion ip address manager	le	4.2
solarwinds:orion_voip_\&_network_quality_manager	solarwinds orion voip \& network quality manager	le	4.1
solarwinds:orion_server_and_application_manager	solarwinds orion server and application manager	le	6.1
solarwinds:orion_network_performance_monitor	solarwinds orion network performance monitor	le	11.4