0 Replies Latest reply on Nov 7, 2017 1:25 PM by b.side1111

    XSS in node name

    b.side1111

      We found out today that you can input javascript into the "node name" when you edit a node or add a node to SolarWinds exposing a cross site scripting vulnerability. You can modify the node name but it still stores the java script for some reason. You can delete the node but the script remains in the form of events & audit logs in the database, spreading itself around. Now it's easy to find and erase if you created it but the fact that this vulnerability exists leaves all other nodes wide open for any kind of malicious intent and if Solarwinds happens to hold sensitive data and is integrated into AD and people are logging in with their Admin accounts...well this could be very bad.
      Does anyone else know about this vulnerability, if so did you ever find a way to correct it?

       

      Thanks for any input.