CVE-2020-15910

Name of the Vulnerable Software and Affected Versions SolarWinds N-Central versions prior to 12.3 GA

Description The issue allows an attacker to influence the cookie with JavaScript, potentially extracting the JSESSIONID. This could be achieved by sending the user to a prepared webpage or by influencing JavaScript. The lack of the HTTPOnly flag in the Set-Cookie header for the session cookie makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Recommendations For SolarWinds N-Central versions prior to 12.3 GA, consider updating to a version that includes the HTTPOnly flag in the Set-Cookie header for the session cookie to prevent JavaScript access. As a temporary workaround, restrict access to sensitive information and consider implementing additional security measures to protect against session cookie theft.