SolarWinds Network Performance Monitor CVE-2017-9537 Multiple HTML Injection Vulnerabilities



SolarWinds Network Performance Monitor is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

Information

Bugtraq ID: 101071
Class: Input Validation Error
CVE: CVE-2017-9537

Remote: Yes
Local: No
Published: Sep 29 2017 12:00AM
Updated: Sep 29 2017 12:00AM
Credit: Andy Tan
Vulnerable: SolarWinds Orion Platform 2017.3 Hotfix 1
SolarWinds Network Performance Monitor 12.0.15300.90
SolarWinds Network Performance Monitor 11.5
SolarWinds Network Performance Monitor 10.7


Not Vulnerable:

Exploit


The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.


Related Posts