CVE-2021-35239

Stored XSS in Maps text box hyperlink Vulnerability

Description

A security researcher found a user with Orion map manage rights could store XSS through via text box hyperlink.

Solution:

SolarWinds recommends installing 2020.2.6 Hotfix 1 for the Orion Platform as soon as it becomes available. All customers should implement all the recommendations from the Orion Secure Configuration Guide.

Workaround:

If you are unable to upgrade immediately. See SolarWinds Knowledgebase Article Below: https://support.solarwinds.com/SuccessCenter/s/article/Mitigate-the-Stored-XSS-in-Maps-text-box-hyperlink-vulnerability-CVE-2021-35239?language=en_US

Link	Tags
https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm	product vendor advisory
https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-1?language=en_US	vendor advisory
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35239	vendor advisory
https://support.solarwinds.com/SuccessCenter/s/article/Mitigate-the-Stored-XSS-in-Maps-text-box-hyperlink-vulnerability-CVE-2021-35239?language=en_US	mitigation vendor advisory

What is the severity of CVE-2021-35239?: CVE-2021-35239 has been scored as a high severity vulnerability.
How to fix CVE-2021-35239?: To fix CVE-2021-35239: SolarWinds recommends installing 2020.2.6 Hotfix 1 for the Orion Platform as soon as it becomes available. All customers should implement all the recommendations from the Orion Secure Configuration Guide.
Is CVE-2021-35239 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2021-35239 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-35239?: CVE-2021-35239 affects SolarWinds Orion Platform.