Lucene search
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day InitiativeZDI-22-1325HistorySep 30, 2022 - 12:00 a.m.
SolarWinds Network Performance Monitor UpdateActionsDescriptions SQL Injection Privilege Escalation Vulnerability
2022-09-3000:00:00
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
www.zerodayinitiative.com
6
solarwinds
sql injection
privilege escalation
network performance monitor
authentication
validation
vulnerability
remote attackers
sql queries
user-supplied string
resource protection
0.003 Low
EPSS
Percentile
70.9%
This vulnerability allows remote attackers to escalate privileges on affected installations of SolarWinds Network Performance Monitor. Authentication is required to exploit this vulnerability. The specific flaw exists within the UpdateActionsDescriptions function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user.
Related
nvd
nvd
CVE-2022-36961
2022-09-30 17:15:13
cve
cve
CVE-2022-36961
2022-09-30 17:15:13
cvelist
cvelist
prion
prion
Sql injection
2022-09-30 17:15:00
nessus
nessus
SolarWinds Orion Platform < 2022.3 Multiple Vulnerabilities
2022-09-28 00:00:00