- 170/2024
- High
SolarWinds has released security updates to address several vulnerabilities across SolarWinds Platform 2024.1 SR 1 and previous versions.
The addressed vulnerabilities could allow the attacker to conduct cross-site scripting attacks, or view, add, modify, and delete information in the back-end database on the affected system by sending specially crafted SQL statements to the user interface.
The addressed vulnerabilities:
1. SolarWinds Platform SWQL Injection Vulnerability (CVE-2024-28996):
- CVSS: 7.5
- Attack Vector: Adjacent Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Consequences: Data Manipulation
2. SolarWinds Platform Stored XSS Vulnerability (CVE-2024-29004):
- CVSS: 7.1
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Consequences: Cross-Site Scripting
Vulnerabilities
- CVE-2024-28996
- CVE-2024-29004
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.