CVE-2021-35237
MEDIUMKiwi Syslog Server < 9.7.2 - Clickjacking via Missing X-Frame-Options Header
Title source: llmDescription
A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. This is an attack on both the user and the server.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://documentation.solarwinds.com/en/success_center/kss/content/release_notes/kss_9-8_release_notes.htm
Vendor Advisory x_refsource_misc
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35237
Scores
CVSS v3
5.0
EPSS
0.0093
EPSS Percentile
55.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Details
CWE
CWE-1021
Status
published
Products (1)
solarwinds/kiwi_syslog_server
< 9.7.2
Published
Oct 29, 2021
Tracked Since
Feb 18, 2026