Vulnerabilities > Solarwinds > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-12-06 | CVE-2021-35242 | Cross-Site Request Forgery (CSRF) vulnerability in Solarwinds Serv-U Serv-U server responds with valid CSRFToken when the request contains only Session. | 6.8 |
| 2021-12-06 | CVE-2021-35245 | Unspecified vulnerability in Solarwinds Serv-U When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host machine. | 6.8 |
| 2021-10-29 | CVE-2021-35237 | Improper Restriction of Rendered UI Layers or Frames vulnerability in Solarwinds Kiwi Syslog Server A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. | 4.3 |
| 2021-10-27 | CVE-2021-35233 | Unspecified vulnerability in Solarwinds Kiwi Syslog Server The HTTP TRACK & TRACE methods were enabled in Kiwi Syslog Server 9.7.1 and earlier. | 5.0 |
| 2021-10-27 | CVE-2021-35235 | Unspecified vulnerability in Solarwinds Kiwi Syslog Server The ASP.NET debug feature is enabled by default in Kiwi Syslog Server 9.7.2 and previous versions. | 5.0 |
| 2021-10-27 | CVE-2021-35236 | Missing Encryption of Sensitive Data vulnerability in Solarwinds Kiwi Syslog Server The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. | 5.3 |
| 2021-10-25 | CVE-2021-35231 | Unquoted Search Path or Element vulnerability in Solarwinds Kiwi Syslog Server As a result of an unquoted service path vulnerability present in the Kiwi Syslog Server Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry. | 4.6 |
| 2021-10-21 | CVE-2021-35225 | Unspecified vulnerability in Solarwinds Network Performance Monitor Each authenticated Orion Platform user in a MSP (Managed Service Provider) environment can view and browse all NetPath Services from all that MSP's customers. | 5.5 |
| 2021-10-21 | CVE-2021-35227 | Deserialization of Untrusted Data vulnerability in Solarwinds Access Rights Manager The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available. | 4.6 |
| 2021-09-08 | CVE-2021-35217 | Deserialization of Untrusted Data vulnerability in Solarwinds Patch Manager Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. | 6.5 |