Solarwinds Web Help Desk: Software update closes critical gaps

Solarwinds has released version 12.8.4 of its Web Help Desk software. In it, the manufacturer closes a vulnerability in the actual software – and also plugs some critical security gaps in components supplied by third-party providers. IT managers should apply the update without delay.

Solarwinds lists the closed security leaks in the release notes for the new Web Help Desk version. The developers have corrected a vulnerability in Web Help Desk itself, through which files can be read if the software is running under Linux and also in the non-standard activated development or test mode (CVE-2024-45709, CVSS 5.3, risk"medium").

Web Help Desk: Problematic third-party components

The supplied third-party components, on the other hand, are much more problematic: Apache Tomcat has a security vulnerability that could allow attackers to bypass authentication and thus gain unauthorized access (CVE-2024-52316, CVSS 9.8, critical). DOMPurify is intended to protect against cross-site scripting, but is itself vulnerable to mutated cross-site scripting (mXSS) (CVE-2024-47875, CVSS 9.8, critical), contains a prototype-pollution vulnerability (CVE-2024-48910, CVSS 9.1, critical) and is vulnerable to another high-risk (CVE-2024-45801, CVSS 7.3, high) and a moderate cross-site scripting vulnerability (CVE-2020-26870, CVSS 6.1, medium).

The updated version 12.8.4 is available for download on the Solarwinds website or in the Solarwinds customer portal.

The Solarwinds Web Help Desk software is also on the list of cybercriminals. In mid-October, the US IT security authority CISA warned of active attacks on a critical vulnerability in Web Help Desk, which the manufacturer had patched with updates in August. Admins should therefore not hesitate for long, but apply the software update promptly.

(dmk)