SQL injection vulnerability in McAfee Data Loss Prevention (DLP) ePO extension prior to 11.7.100 allows a remote attacker logged into ePO as an administrator to inject arbitrary SQL into the ePO database through the user management section of the DLP ePO extension.

CVE-2021-31849: Security Bulletin - Data Loss Prevention ePO extension update fixes two vulnerabilities (CVE-2021-31848 and CVE-2021-31849)

SQL Injection vulnerability in pay.php in millken doyocms 2.3, allows attackers to execute arbitrary code, via the attribute parameter.

CVE-2021-26739: There is a sqli vulnerability in pay.php，No admin user login required · Issue #5 · millken/doyocms

A SQL injection vulnerability in TopicMapper.xml of PybbsCMS v5.2.1 allows attackers to access sensitive database information.

CVE-2020-28702: SQL injection vulnerability in version 5.2.1 · Issue #137 · tomoya92/pybbs

AVideo/YouPHPTube AVideo/YouPHPTube 10.0 and prior is affected by a SQL Injection SQL injection in the catName parameter which allows a remote unauthenticated attacker to retrieve databases information such as application passwords hashes.

CVE-2021-25874

In Apache DolphinScheduler before 1.3.6 versions, authorized users can use SQL injection in the data source center. (Only applicable to MySQL data source with internal login account password)

CVE-2021-27644

CVE-2021-27644: Pony Mail!

SQL Injection vulnerability exists in all versions of Yonyou TurboCRM.via the orgcode parameter in changepswd.php. Attackers can use the vulnerabilities to obtain sensitive database information.

CVE-2021-41746: SQL injection · Issue #1 · purple-WL/Yonyou-TurboCRM-SQL-injection

An SQL Injection vulnerabilty exists in the oretnom23 Pharmacy Point of Sale System 1.0 in the login function in actions.php.

CVE-2021-41676: 0dayHunt/pharmacypossqli.txt at main · janikwehrli1/0dayHunt

An SQL Injection vulnerability exists in Sourcecodester E-Negosyo System 1.0 via the user_email parameter in /admin/login.php.

CVE-2021-41674: 0dayHunt/E-Negosyo-System-SQLi.txt at main · janikwehrli1/0dayHunt

A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. This is an attack on both the user and the server.

**Kiwi Syslog Server 9.8 Release Notes**

Release date: October 19, 2021

These release notes describe the new features, improvements, and fixed issues in Kiwi Syslog Server 9.8. They also provide information about upgrades and describe workarounds for known issues.

If you are looking for previous release notes for Kiwi Syslog Server, see Previous Version documentation.

**New features and improvements**

Kiwi Syslog Server 9.8 offers new features and improvements compared to previous versions of Kiwi Syslog Server

**Microsoft SQL Server 2019 support**

Kiwi Syslog Server now supports and successfully writes messages to the Microsoft SQL Server 2019 database.

**New Internet Information Server (IIS) webserver for Kiwi Web Access**

The UltiDevWebServer has been deprecated and Kiwi Syslog Server now leverages Internet Information Server (IIS) to provide modern and secure web service.

**Support for SNMPv3 credentials**

Kiwi Syslog Server now supports functionality for adding and removing SNMPv3 user credentials, including values for username, authentication password, private password, algorithms, and security level. See fixed issues below for more details.

**Licensing framework upgrade**

Kiwi Syslog Server 9.8 offers the latest SolarWinds licensing framework to be using in conjunction with SolarWinds logging.

**Updated jQuery library**

The jQuery library used in Kiwi Syslog Server has been updated to version 3.6.0.

**Removal of .NET versions 2.0 and 3.5**

Kiwi Syslog Server will no longer require and operate on the .NET 2.0 and 3.5 frameworks to improve security of customer sessions and cookies. See fixed issues below for more details.

**New customer installation**

Return to top

For information about installing Kiwi Syslog Server, see the Kiwi Syslog Server Installation Guide.

After installation, see the Kiwi Syslog Server Getting Started Guide for implementation and troubleshooting guidelines. The guide walks you through common configuration tasks to help you get up and running quickly.

**How to upgrade**

If you are upgrading from an earlier version, use the Kiwi Syslog Server Upgrade Guide to plan and implement an upgrade to Kiwi Syslog Server9.8.

**Fixed issues in KSS 9.8**

Return to top

KSS 9.8 fixes the following issues.

 

Case Number

Description

N/A

The KiwiSyslogLicensor.exe application is now digitally signed.

00179952, 00815565, 00490222

SNMPv3 credentials are now exported appropriately without crashing the service.

00202438, 00296403, 00376967, 00864855, 00864855, 00254325, 00389680, 00220030

UTF-8 symbols now display correctly in action and text fields.

00744921, 00759402, 00820497

The HTTP security header is now detectable.

00799858, 00871069, 00798372

The Windows unquoted path vulnerability has been resolved. See CVEs below.

N/A

The License Manager version 2.0.0.732 now loads correctly.

00589979

The session identifier is now updated and resolves the potential vulnerability. See CVEs below.

00820497, 00669111

The HTTP TRACK and TRACE vulnerabilities have been resolved. See CVEs below.

00625071

Software versions are no longer viewable in the HTTP header.

00775510, 00788703, 00792253, 00841628, 00767612, 00841066, 00844947, 00896711

Users are now able to save filters from the Events tab.

00746439, 00740074, 00747488, 00747419, 00750586, 00752088, 00753175, 00752132, 00755082, 00746654, 00747625, 00749786, 00746328, 00753257, 00744039,

Users with Kiwi CatTools 3.11.8 are now able to continue the Kiwi Syslog Server setup process.

00640200

.NET CLR no longer presents a potential FIPS vulnerability. See CVEs below.

00711054, 00737175, 00773411, 00802805, 00641765, 00641360, 00710850, 00748954, 00764883, 00818115, 00874516, 00881358, 00789612

Users no longer receive the HttpUnhandledException error while attempting to access the Events tab in the Web Access portal.

00688130, 00779774, 00861151, 00683475, 00709991, 00753162, 00704103, 00837374, 00903887

Users are now able to import filters appropriately in the Kiwi Web Access portal.

00667753

The script to pass custom variables now works as expected.

00743108, 00762258, 00865670

Users no longer lose Priority information while spoofing with Npcap.

00744054

Npcap spoofing no longer fails if "hostname" is used as a destination.

00773496, 00809603

Users are now able to reset passwords in the Admin tab in the Web Access portal.

00780022

Russian language files are no longer detected in the installation package.

00863789

In the Forward to another host action, the options for New Facility and New Level are now correctly named.

**CVEs**

Return to top

SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.

    

CVE-ID

Vulnerability Title

Description

Severity

Credit

CVE-2021-35233

HTTP TRACK & TRACK Methods Enabled Vulnerability

The HTTP TRACK & TRACE methods were enabled in Kiwi Syslog Server 9.7.1 and earlier. These methods are intended for diagnostic purposes only. If enabled, the web server will respond to requests that use these methods by returning exact HTTP request that was received in the response to the client. This may lead to the disclosure of sensitive information such as internal authentication headers appended by reverse proxies.

Medium

N/A

CVE-2021-35235

ASP.NET Debug Feature Enabled

The ASP.NET debug feature is enabled by default in Kiwi Syslog Server 9.7.1. ASP.NET allows remote debugging of web applications, if configured to do so. Debug mode causes ASP.NET to compile applications with extra information. The information enables a debugger to closely monitor and control the execution of an application.

If an attacker could successfully start a remote debugging session, this is likely to disclose sensitive information about the web application and supporting infrastructure that may be valuable in targeting SWI with malicious intent.

Medium

N/A

CVE-2021-35236

Missing Secure Flag From SSL Cookie

The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.1. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP, there is a potential for the cookie can be sent in clear text.

Low

N/A

CVE-2021-35237

Clickjacking Vulnerability

A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking.

Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. This is an attack on both the user and the server.

Medium

N/A

CVE-2021-35231

Unquoted Path Vulnerability (SMB Login)

As a result of an unquoted service path vulnerability present in the Kiwi Syslog Server Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry.

Example vulnerable path:

Computer\\HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Services\\Kiwi Syslog Server\\Parameters\\Application

Medium

David Rickard

Danijel Grah

**End of life**

Return to top

See the End of Life Policy for information about SolarWinds product lifecycle phases. For supported versions and EoL announcements for all SolarWinds products, see Currently supported software versions.

**Legal notices**

Return to top

© 2023 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

Tag

#sql