CVE-2021-35240: 
SolarWinds Platform vulnerability analysis and mitigation

A security researcher discovered a stored Cross-Site Scripting (XSS) vulnerability in SolarWinds Orion Platform versions 2020.2.5 and earlier, specifically affecting customers using Internet Explorer due to lack of 'rel=noopener' support. The vulnerability was assigned CVE-2021-35240 and was disclosed on August 31, 2021 (NVD, SolarWinds Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and received a CVSS v3.1 base score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L) from SolarWinds, while NVD assigned a score of 4.8 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N) (NVD).

The vulnerability could allow an attacker to execute arbitrary web script or HTML through the Help Server setting when users are accessing the system through Internet Explorer. This could potentially lead to unauthorized access to user data or system manipulation (SolarWinds Advisory).

The vulnerability was fixed in Orion Platform 2020.2.6 Hotfix 1. SolarWinds recommends upgrading to this version or later to address the security issue (SolarWinds Advisory).