Unrestricted access to Orion.UserSettings SWIS entity for low-privilege users (CVE-2021-35248)

Summary

Insecure permissions allow low-privilege Orion users to query the  Orion.UserSettings SWIS entity. This will present usernames and basic user settings.

Affected Products

  • Orion 2020.2.6 HF2 and earlier

Fixed Software Release

  • Orion 2020.2.6 HF3
Advisory Details
Severity
Medium
Advisory ID

CVE-2021-35248

First Published
12/20/2021
Fixed Version

Orion 2020.2.6 HF3

Workarounds

Workaround 1

CVSS Score

CVSS:3.0/AV:A/AC:L/PR:L/UI:N/
S:C/C:H/I:N/A:N

Download PDF
Send an Email