Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2014-9566

Published: 10/03/2015 Updated: 11/03/2015
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 755
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Solarwinds

Vulnerability Summary

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) prior to 11.5, NetFlow Traffic Analyzer (NTA) prior to 4.1, Network Configuration Manager (NCM) prior to 7.3.2, IP Address Manager (IPAM) prior to 4.3, User Device Tracker (UDT) prior to 3.2, VoIP & Network Quality Manager (VNQM) prior to 4.2, Server & Application Manager (SAM) prior to 6.2, Web Performance Monitor (WPM) prior to 2.2, and possibly other Solarwinds products, allow remote authenticated users to execute arbitrary SQL commands via the (1) dir or (2) sort parameter to the (a) GetAccounts or (b) GetAccountGroups endpoint.

Vulnerable Product Search on Vulmon Subscribe to Product

solarwinds orion voip \\& network quality manager

solarwinds orion server and application manager

solarwinds orion network configuration manager

solarwinds orion user device tracker

solarwinds orion network performance monitor

solarwinds orion web performance monitor

solarwinds orion netflow traffic analyzer

solarwinds orion ip address manager

Exploits

Exploit DB: SolarWinds Orion Service - SQL Injection
I found a couple SQL injection vulnerabilities in the core Orion service used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…) This service provides a consistent configuration and authentication layer across the products To be exact, the vulnerable applications and versions are: Network Performance Monitor -- < 115 NetFlow T ...
Exploit DB: Solarwinds Orion Service SQL Injection
Various remote SQL injection vulnerabilities exist in the core Orion service used in most of the Solarwinds products Affected products include Network Performance Monitor below version 115, NetFlow Traffic Analyzer below version 41, Network Configuration Manager below version 732, IP Address Manager below version 43, User Device Tracker below ...

References

CWE-89http://www.solarwinds.com/documentation/orion/docs/releasenotes/releasenotes.htmhttp://packetstormsecurity.com/files/130637/Solarwinds-Orion-Service-SQL-Injection.htmlhttps://github.com/rapid7/metasploit-framework/pull/4836http://www.exploit-db.com/exploits/36262http://volatile-minds.blogspot.com/2015/02/authenticated-stacked-sql-injection-in.htmlhttp://osvdb.org/show/osvdb/118746http://seclists.org/fulldisclosure/2015/Mar/18https://nvd.nist.govhttps://www.exploit-db.com/exploits/36262/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
injectionCVE-2024-30983CVE-2023-4235CVE-2024-21338privilegeencryptionCVE-2023-4232CVE-2024-31497CVE-2024-32341
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook