CVE-2018-19770

Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability exists in InfoVista VistaPortal SE Version 5.1 (build 51029). The flaw is present in the page Users.jsp, where the ConnPoolName parameter is insufficiently sanitized, allowing an attacker to inject arbitrary JavaScript or HTML in the HTTP response [1]. No authentication is required to reach the vulnerable parameter.

Exploitation

An attacker can craft a URI containing malicious code in the ConnPoolName parameter and trick a victim into clicking on it. No special network position or prior authentication is needed; the attack is carried out over HTTP and does not require user interaction beyond the victim visiting the crafted link [1].

Impact

Successful exploitation leads to reflected XSS, enabling the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can result in disclosure of sensitive session cookies, redirection to malicious sites, or other client-side attacks [1].

Mitigation

No official patch has been identified in the available references [1]. Users should implement output encoding on the ConnPoolName parameter in Users.jsp and consider applying a Web Application Firewall (WAF) rule to block malicious input until a vendor fix is released.