Vulnerability CVE-2019-17125

Vulnerability CVE-2019-17125

Published: 2020-01-17

Description:

A Reflected Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score	Impact Subscore	Exploitability Subscore
4.3/10	2.9/10	8.6/10

Exploit range	Attack complexity	Authentication
Remote	Medium	No required
Confidentiality impact	Integrity impact	Availability impact
None	Partial	None

Affected software
Solarwinds -> Orion platform

References:

https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2019-4-Hotfix-3?ui-force-components-controllers-recordGlobalValueProvider.RecordGvp.getRecord=1&r=116&ui-knowledge-components-aura-actions.KnowledgeArticleVersionCreateDraftFromOnlineAction.createDraftFromOnlineArticle=1

https://support.solarwinds.com/SuccessCenter/s/orion-platform

Vulnerability CVE-2019-17125

A Reflected Client Side Template Injection (CSTI) with Angular was discovered in the SolarWinds Orion Platform 2019.2 HF1 in many forms. An attacker can inject an Angular expression and escape the Angular sandbox to achieve stored XSS.

CWE-79

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

4.3/10

2.9/10

8.6/10

Remote

Medium

No required

None

Partial

None

Affected software

References: