CVE-2020-13169

Stored XSS (Cross-Site Scripting) exists in the SolarWinds Orion Platform before before 2020.2.1 on multiple forms and pages. This vulnerability may lead to the Information Disclosure and Escalation of Privileges (takeover of administrator account).

CVSS v3 9.0 CRITICAL
CVSS v2.0 3.5 LOW

9.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Release_Notes/Orion_Platform_2020-2-1_release_notes.htm#NewFeaturesOrion	Release Notes Vendor Advisory
https://support.solarwinds.com/SuccessCenter/s/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:solarwinds:orion_platform:*:*:*:*:*:*:*:*

History

21 Jan 2022, 14:23

Type	Values Removed	Values Added
CVSS	v2 : ~~4.3~~ v3 : ~~9.6~~	v2 : 3.5 v3 : 9.0

Information

Published : 2020-09-17 18:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-13169

Mitre link : CVE-2020-13169

CVE.ORG link : CVE-2020-13169

JSON object : View

Products Affected

solarwinds

orion_platform

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2020-13169", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2020-09-17T18:15:12.240", "references": [{"url": "https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Release_Notes/Orion_Platform_2020-2-1_release_notes.htm#NewFeaturesOrion", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://support.solarwinds.com/SuccessCenter/s/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Stored XSS (Cross-Site Scripting) exists in the SolarWinds Orion Platform before before 2020.2.1 on multiple forms and pages. This vulnerability may lead to the Information Disclosure and Escalation of Privileges (takeover of administrator account)."}, {"lang": "es", "value": "Una vulnerabilidad de tipo XSS (Cross-Site Scripting) almacenado se presenta en SolarWinds Orion Platform versiones anteriores a 2020.2.1, en varios formularios y p\u00e1ginas. Esta vulnerabilidad puede conllevar a una divulgaci\u00f3n de informaci\u00f3n y a una escalada de privilegios (toma de control de la cuenta de administrador)"}], "lastModified": "2022-01-21T14:23:36.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:orion_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37385F23-D00F-4D1F-9A0B-DEFAD82EFC48", "versionEndExcluding": "2020.2.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}