- 218/2022
- High
SolarWinds has released security updates to address multiple vulnerabilities in SolarWinds Orion Platform “2022.2 and earlier”, and Hybrid Cloud Observability NCM “2020.2.5 and previous versions”.
The addressed vulnerabilities could be exploited to allow the remote attacker to perform SQL injection or stored and DOM-based cross-site scripting attacks.
Sample of the addressed vulnerabilities:
1. SQL Injection in Orion Platform (CVE-2022-36961):
• CVSS: 8
• Attack Vector: Adjacent Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: SQL Injection
2. Stored and DOM XSS in QoE Applications: Orion Platform (CVE-2022-36965):
• CVSS: 7.1
• Attack Vector: Adjacent Network
• Attack Complexity: Low
• Privileges Required: High
• User Interaction: Required
• Consequences: Cross-Site Scripting
Vulnerabilities
- CVE-2022-36961
- CVE-2022-36965
- CVE-2021-35226
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.