CVE-2021-35215 HIGH

CVE-2021-35215: ActionPluginBaseView Deserialization of Untrusted Data RCE

Vendor Solarwinds

Product Orion Platform

Weakness CWE-502 · Unsafe deserialization

Published September 1, 2021

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

8.9/10

Attack vector Adjacent

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability.

Key dates

02Disclosure timeline

September 1, 2021 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-35215

Related vulnerabilities

04Related CVE

CVE-2025-69382 WordPress Themesflat Elementor plugin <= 1.0.1 - PHP Object Injection vulnerability CVE-2026-49106 WordPress Integration for Contact Form 7 and Constant Contact plugin <= 1.1.6 - PHP Object Injection vulnerability CVE-2025-24794 The Snowflake Connector for Python uses insecure deserialization of the OCSP response cache CVE-2023-4402 Essential Blocks <= 4.2.0 - Unauthenticated PHP Object Injection via products CVE-2025-2043 LinZhaoguan pb-cms Add New Topic admin#themes deserialization

Identifiers

CVE CVE-2021-35215

CWE CWE-502

CVSS 8.9 / HIGH

Affected versions

Vendor Solarwinds

Product Orion Platform

Affected ≥ 2020.2.5 and previous versions and < 2020.2.6