CVE-2021-35213: 
SolarWinds Platform vulnerability analysis and mitigation

An Improper Access Control Privilege Escalation Vulnerability (CVE-2021-35213) was discovered in the User Setting of SolarWinds Orion Platform version 2020.2.5. The vulnerability allows a guest user to elevate privileges to Administrator level, though authentication is required to exploit it. The vulnerability was disclosed on July 15, 2021 (SolarWinds Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper control of access to the SaveUserSetting endpoint, which can be leveraged by an authenticated attacker to escalate privileges from Guest to Administrator (ZDI Advisory).

If successfully exploited, this vulnerability allows an authenticated attacker to elevate their privileges from Guest to Administrator level, potentially gaining complete control over the affected SolarWinds Orion Platform installation (ZDI Advisory).

SolarWinds has released version 2020.2.6 of the Orion Platform to address this vulnerability. Users are advised to upgrade to this version to mitigate the risk (SolarWinds Advisory).