Exposed Dangerous Functions - Privileged Escalation 

(CVE-2021-35234)

Download PDF

Summary

Numerous exposed dangerous functions within Orion Core allows for read-only SQL injection leading to privileged escalation. An attacker with low-user privileges may steal password hashes and password salt information.

Affected Products

  • Orion Platform 2020.2.6 HF2 and earlier

Fixed Software Release

  • Orion Platform 2020.2.6 HF3

Acknowledgments

  • Trend Micro, Zero Day Initiative

Advisory Details

Severity

8.0 High

Advisory ID

CVE-2021-35234

First Published

12/20/2021

Fixed Version

Orion Platform 2020.2.6 HF3

Workarounds

Public KB

CVSS Score

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S: C/C:H/I:H/A:H