Lucene search

SolarWindsCVELIST:CVE-2021-35228

HistoryOct 19, 2021 - 12:00 a.m.

CVE-2021-35228 Reflected cross site scripting affecting SolarWinds: DPA 2021.3.7388

2021-10-1900:00:00

SolarWinds

www.cve.org

cve-2021-35228

solarwinds

cross site scripting

input sanitization

headers

man in the middle

CVSS3

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

EPSS

0.001

Percentile

28.7%

JSON

This vulnerability occurred due to missing input sanitization for one of the output fields that is extracted from headers on specific section of page causing a reflective cross site scripting attack. An attacker would need to perform a Man in the Middle attack in order to change header for a remote victim.

CNA Affected

[
  {
    "product": "SolarWinds",
    "vendor": "SolarWinds",
    "versions": [
      {
        "lessThan": "2021.3.7388",
        "status": "affected",
        "version": "DPA 2021.3.7388",
        "versionType": "custom"
      }
    ]
  }
]

References

documentation.solarwinds.com/en/success_center/dpa/content/release_notes/dpa_2021-3-7438_release_notes.htm

www.solarwinds.com/trust-center/security-advisories/CVE-2021-35228