Alex Craggs

**Name of the Vulnerable Software and Affected Versions** SolarWinds SFTP/SCP Server versions prior to 2018-09-10 **Description** The configuration file of the affected software is world readable and writable, storing user passwords insecurely. This allows an attacker to determine passwords for potentially privileged accounts and grants the ability to backdoor the server. **Recommendations** For versions prior to 2018-09-10, restrict access to the configuration file to prevent unauthorized modifications and reading of sensitive information. As a temporary workaround, consider implementing additional access controls to limit the potential impact of the insecure password storage.

**Name of the Vulnerable Software and Affected Versions** SolarWinds SFTP/SCP server through 2018-09-10 **Description** The issue allows an attacker to exploit a world-readable and writable configuration file, leading to XXE (XML External Entity) vulnerability. This vulnerability enables an attacker to exfiltrate data. **Recommendations** For SolarWinds SFTP/SCP server through 2018-09-10, consider restricting access to the configuration file to prevent it from being world-readable and writable until a fix is available. As a temporary workaround, limit the permissions on the configuration file to minimize the risk of exploitation.