ImportAlert Improper Access Control Tampering Vulnerability

(CVE-2021-35221)

Summary

ImportAlert Improper Access Control Tampering Vulnerability. This vulnerability allows attackers to add arbitrary SMTP servers to the server configuration. Authentication is required but can be a guest.

Affected Products

Orion Platform 2020.2.5 and earlier

Fixed Software Release

Orion Platform 2020.2.6
HF 1

Acknowledgments

Alex Birnberg of Zymo Security and FireEye

Advisory Details

Severity

6.3 Medium

Advisory ID

CVE-2021-35221

First Published

07/15/2021

Last Updated

08/24/2021

Fixed Version

Orion Platform 2020.2.6 HF 1

Workarounds

Workaround 1

CVSS Score

CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:
U/C:L/I:H/A:N