Database Performance Analyzer
Monthly
Stored cross-site scripting in SolarWinds Database Performance Analyzer enables a highly privileged, adjacent-network attacker to persist malicious scripts in the application that execute within other users' browsers upon page load. The CVSS vector (AV:A/AC:H/PR:H/UI:R) imposes substantial constraints - adjacency, high complexity, admin-level credentials, and victim interaction are all required - limiting realistic risk to insider-threat or post-compromise scenarios. No public exploit code and no CISA KEV listing have been identified at time of analysis.
SolarWinds Database Performance Analyzer was found to contain a hard-coded cryptographic key. Rated medium severity (CVSS 5.6). This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.
XSS attack was possible in DPA 2023.2 due to insufficient input validation. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
No exception handling vulnerability which revealed sensitive or excessive information to users. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This vulnerability occurred due to missing input sanitization for one of the output fields that is extracted from headers on specific section of page causing a reflective cross site scripting attack. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Stored cross-site scripting in SolarWinds Database Performance Analyzer enables a highly privileged, adjacent-network attacker to persist malicious scripts in the application that execute within other users' browsers upon page load. The CVSS vector (AV:A/AC:H/PR:H/UI:R) imposes substantial constraints - adjacency, high complexity, admin-level credentials, and victim interaction are all required - limiting realistic risk to insider-threat or post-compromise scenarios. No public exploit code and no CISA KEV listing have been identified at time of analysis.
SolarWinds Database Performance Analyzer was found to contain a hard-coded cryptographic key. Rated medium severity (CVSS 5.6). This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.
XSS attack was possible in DPA 2023.2 due to insufficient input validation. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
No exception handling vulnerability which revealed sensitive or excessive information to users. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This vulnerability occurred due to missing input sanitization for one of the output fields that is extracted from headers on specific section of page causing a reflective cross site scripting attack. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.