CVE-2018-19767

Vulnerability

InfoVista VistaPortal SE version 5.1 (build 51029) contains a reflected cross-site scripting vulnerability in the page PresentSpace.jsp. The application fails to sanitize user-supplied input passed to the ConnPoolName and GroupId parameters, allowing an attacker to inject arbitrary HTML or JavaScript code into the response. No authentication or special privileges are required to reach the vulnerable page.

Exploitation

An attacker can craft a malicious URL containing JavaScript payloads in the ConnPoolName or GroupId parameters of PresentSpace.jsp and deliver it to a victim (e.g., via email or a link). When the victim opens the URL in a browser that processes the page, the injected script executes within the security context of the affected site, as no sanitization is performed on these parameters [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, defacement, theft of sensitive information displayed on the page, or phishing attacks. The scope of impact is limited to the victim's browser session and the data accessible through the VistaPortal SE interface.

Mitigation

As of the publication date (December 17, 2018), no official patch or updated version has been released. The vendor has not publicly acknowledged or addressed the vulnerability in the available references [1]. Administrators should restrict access to the vulnerable page through network controls (e.g., web application firewall rules filtering on ConnPoolName and GroupId parameters) and apply input validation as a temporary workaround. The product's security posture should be re-evaluated when a fix becomes available.