CVE-2020-15910
MEDIUMSolarwinds N-central < 12.3 - Incorrect Permission Assignment
Title source: ruleDescription
SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be forwarded to the attacker.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://limenetworks.nl/wp-content/uploads/CVE-934261-v-1.2.pdf
Product x_refsource_misc
https://www.solarwindsmsp.com/products/n-central
Scores
CVSS v3
4.7
EPSS
0.0036
EPSS Percentile
58.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Details
CWE
CWE-732
Status
published
Products (1)
solarwinds/n-central
< 12.3
Published
Oct 19, 2020
Tracked Since
Feb 18, 2026