Unrestricted access to Orion.UserSettings SWIS entity for low-privilege users 

(CVE-2021-35248)

Summary

Insecure permissions allow low-privilege Orion users to query the  Orion.UserSettings SWIS entity. This will present usernames and basic user settings.

Affected Products

  • Orion 2020.2.6 HF2 and earlier

Fixed Software Release

  • Orion 2020.2.6 HF3

Advisory Details

Severity

6.8 Medium

Advisory ID

First Published

12/20/2021

Fixed Version

Orion 2020.2.6 HF3

Workarounds