CVE-2020-15910
MEDIUMSolarWinds N-Central < 12.3 - Session Cookie Exposure via Missing HTTPOnly Attribute
Title source: llmDescription
SolarWinds N-Central version 12.3 GA and lower does not set the JSESSIONID attribute to HTTPOnly. This makes it possible to influence the cookie with javascript. An attacker could send the user to a prepared webpage or by influencing JavaScript to the extract the JESSIONID. This could then be forwarded to the attacker.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://limenetworks.nl/wp-content/uploads/CVE-934261-v-1.2.pdf
Product x_refsource_misc
https://www.solarwindsmsp.com/products/n-central
Scores
CVSS v3
4.7
EPSS
0.0552
EPSS Percentile
91.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Details
CWE
CWE-732
Status
published
Products (1)
solarwinds/n-central
< 12.3
Published
Oct 19, 2020
Tracked Since
Feb 18, 2026