- 124/2024
- High
- April 21, 2024
- 3:19 pm
SolarWinds has released a security update to address two vulnerabilities affecting SolarWinds platform 2024.4.1 and prior versions.
The addressed vulnerabilities could allow the attacker to manipulate data and view, add, modify, or delete information in the back-end database, or perform cross-site scripting (XSS) attacks using a specially crafted URL to execute script in the victim’s Web browser within the security context of the hosting website.
The addressed vulnerabilities:
1. SolarWinds Platform SWQL Injection Vulnerability (CVE-2024-29001):
- CVSS: 7.5
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Consequences: Data Manipulation
2. SolarWinds Platform Cross-site Scripting Vulnerability (CVE-2024-29003):
- CVSS: 7.5
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Consequences: Cross-Site Scripting
Vulnerabilities
- CVE-2024-29001
- CVE-2024-29003
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.