Skip to main content

N Central CVE-2020-15910

MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2020-10-19 cve@mitre.org
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 19, 2020 - 13:15 nvd
MEDIUM 4.7

DescriptionNVD

SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be forwarded to the attacker.

AnalysisAI

SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Incorrect Permission Assignment (CWE-732), which allows attackers to access resources due to misconfigured permissions. SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be forwarded to the attacker. Affected products include: Solarwinds N-Central. Version information: version 12.3.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and restrict file/resource permissions, apply principle of least privilege.

CVE-2025-11700 HIGH POC
8.4 Nov 12

N-able N-central remote monitoring and management platform versions before 2025.4 contain multiple XML External Entity i

CVE-2025-8876 CRITICAL
9.4 Aug 14

N-able N-central before 2025.3.1 contains an OS command injection through improper input validation, companion vulnerabi

CVE-2024-28200 CRITICAL POC
9.8 Jul 01

The N-central server is vulnerable to an authentication bypass of the user interface. Rated critical severity (CVSS 9.8)

CVE-2020-15909 HIGH POC
8.8 Oct 19

SolarWinds N-central through 2020.1 allows session hijacking and requires user interaction or physical access. Rated hig

CVE-2020-7984 HIGH POC
7.5 Jan 26

SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain ad

CVE-2024-5322 CRITICAL
9.1 Jul 01

The N-central server is vulnerable to session rebinding of already authenticated users when using Entra SSO, which can l

CVE-2020-25622 HIGH
8.8 Dec 16

An issue was discovered in SolarWinds N-Central 12.3.0.670. Rated high severity (CVSS 8.8), this vulnerability is remote

CVE-2020-25618 HIGH
8.8 Dec 16

An issue was discovered in SolarWinds N-Central 12.3.0.670. Rated high severity (CVSS 8.8), this vulnerability is remote

CVE-2020-25617 HIGH
8.8 Dec 16

An issue was discovered in SolarWinds N-Central 12.3.0.670. Rated high severity (CVSS 8.8), this vulnerability is remote

CVE-2020-25621 HIGH
8.4 Dec 16

An issue was discovered in SolarWinds N-Central 12.3.0.670. Rated high severity (CVSS 8.4), this vulnerability is no aut

CVE-2020-25620 HIGH
7.8 Dec 16

An issue was discovered in SolarWinds N-Central 12.3.0.670. Rated high severity (CVSS 7.8), this vulnerability is low at

CVE-2023-30297 HIGH
7.0 Aug 04

An issue found in N-able Technologies N-central Server before 2023.4 allows a local attacker to execute arbitrary code v

Share

CVE-2020-15910 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy