Vulnerability Note VU#174119
Solarwinds Network Performance Monitor 10.2.2 contains multiple vulnerabilities
Overview
Solarwinds Network Performance Monitor 10.2.2 and possibly earlier versions contain a cross-site scripting (XSS), and cross-site request forgery (CSRF) vulnerability.
Description
Solarwinds Network Performance Monitor 10.2.2 can be attacked by modifying the snmpd.conf file with malicious JavaScript (XSS) (CWE-79) (CVE-2012-2577). The malicious JavaScript is stored in the application and then may be leveraged to mount an CSRF (CWE-352) (CVE-2012-2602) attack against a logged on administrator. |
Impact
A remote unauthenticated attacker may obtain sensitive information, cause a denial of service condition or execute arbitrary code with the privileges of the application. |
Solution
Apply an Update Solarwinds has released Network Performance Monitor 10.3.1 to address these vulnerabilities. Customers may obtain the update from the Solarwinds Customer Portal. |
Restrict access |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| SOLARWINDS | Affected | 25 Jun 2012 | 03 Aug 2012 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Temporal | 5.3 | E:POC/RL:OF/RC:C |
| Environmental | 5.3 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND |
References
Credit
Thanks to Offensive Security for reporting these vulnerabilities.
This document was written by Jared Allar.
Other Information
- CVE IDs: CVE-2012-2602 CVE-2012-2577
- Date Public: 20 Jul 2012
- Date First Published: 03 Aug 2012
- Date Last Updated: 15 May 2013
- Document Revision: 14
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.