CVE-2021-35237

low-risk

Published 2021-10-29

A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server. This is an attack on both the user and the server.

Do I need to act?

0.41% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.0/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Kiwi Syslog Server

Affected Vendors

Solarwinds

References (4)

Release Notes https://documentation.solarwinds.com/en/success_center/kss/content/release_notes...

Vendor Advisory https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35237

Release Notes https://documentation.solarwinds.com/en/success_center/kss/content/release_notes...

Vendor Advisory https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35237

/ 100

low-risk

Severity 16/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal