Unrestricted access to Orion.UserSettings SWIS entity for low-privilege users
(CVE-2021-35248)
Summary
Insecure permissions allow low-privilege Orion users to query the Orion.UserSettings SWIS entity. This will present usernames and basic user settings.
Affected Products
- Orion 2020.2.6 HF2 and earlier
Fixed Software Release
- Orion 2020.2.6 HF3
Advisory Details
Severity
6.8 Medium
Advisory ID
First Published
12/20/2021
Fixed Version
Orion 2020.2.6 HF3