CVE-2021-35238 : Security Advisory and Response

A detailed analysis of the Stored XSS vulnerability through URL POST parameter in SolarWinds Orion Platform.

Understanding CVE-2021-35238

This CVE involves a Stored XSS vulnerability in SolarWinds Orion Platform that allows a user with admin rights to store XSS through a URL POST parameter in the CreateExternalWebsite website.

What is CVE-2021-35238?

The CVE-2021-35238 vulnerability in SolarWinds Orion Platform enables an attacker to inject and store malicious scripts through a URL POST parameter.

The Impact of CVE-2021-35238

The impact of this vulnerability is rated as medium severity with a CVSS base score of 4.8. It requires high privileges to exploit and can lead to low confidentiality and integrity impact.

Technical Details of CVE-2021-35238

This section provides detailed technical information about the vulnerability.

Vulnerability Description

The vulnerability allows a user with admin rights to inject and store XSS via a URL POST parameter in SolarWinds Orion Platform's CreateExternalWebsite.

Affected Systems and Versions

The affected platform is Windows, and the impacted product is SolarWinds Orion Platform version 2020.2.6 and all previous versions.

Exploitation Mechanism

The attacker needs admin privileges to exploit the vulnerability by storing malicious scripts via a URL POST parameter.

Mitigation and Prevention

Here are the steps to mitigate and prevent the CVE-2021-35238 vulnerability.

Immediate Steps to Take

It is recommended to install the 2020.2.6 Hotfix 1 for the Orion Platform as soon as it becomes available. Additionally, users should follow the Orion Secure Configuration Guide recommendations.

Long-Term Security Practices

In the long term, organizations should ensure timely software updates, conduct regular security assessments, and educate users about safe browsing practices.

Patching and Updates

Regularly monitor for security advisories from SolarWinds and apply patches promptly to prevent exploitation of known vulnerabilities.