NPM Netpath Horizontal Privilege Escalation Vulnerability

(CVE-2021-35225)

Summary

Each authenticated Orion user in the MSP (Managed Service Provider) environment can view and browse all NetPath Services from all MSP's customers. This can lead to any user having a limited insight into other customers' infrastructure and potential data cross-contamination.

Affected Products

Network Performance Monitor 2020.2.6 HF1 and earlier

Fixed Software Release

Network Performance Monitor 2020.2.6 HF2

Acknowledgments

Preston Deason
Chad Larsen
Zachary Riezenman

Advisory Details

Severity

5.0 Medium

Advisory ID

First Published

10/19/2021

Fixed Version

NPM 2020.2.6 HF2

Workarounds

CVSS Score

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/

S:C/C:L/I:N/A:N