Solarwinds ≫ Serv-u

A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.

Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been dete...

When a user has admin rights in Serv-U Console, the user can move, create and delete any files are able to be accessed on the Serv-U host machine.

Serv-U server responds with valid CSRFToken when the request contains only Session.

The Serv-U File Server allows for events such as user login failures to be audited by executing a command. This command can be supplied with parameters that can take the form of user string variables, allowing remote code execution.

Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. S...

Share/IncomingWizard.htm in SolarWinds Serv-U before 15.2.3 mishandles the user-supplied SenderEmail parameter, aka "Share URL XSS."

An issue was discovered in SolarWinds Serv-U before 15.2.2. Unauthenticated attackers can retrieve cleartext passwords via macro Injection. NOTE: this had a distinct fix relative to CVE-2020-35481.

In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users' password hashes) that is world readable and writable. An unprivileged Windows user (having access to the server's filesystem) can add...

SolarWinds Serv-U before 15.2.2 allows authenticated reflected XSS.