CVE-2018-19772

Vulnerability

The EditCurrentPresentSpace.jsp page in InfoVista VistaPortal SE version 5.1 (build 51029) contains a reflected cross-site scripting (XSS) vulnerability. The parameters ConnPoolName, GroupId, and ParentId are not properly sanitized before being echoed back to the user, allowing injection of arbitrary HTML and JavaScript. [1]

Exploitation

An attacker can craft a malicious URL containing the XSS payload in any of the vulnerable parameters. No authentication is required for exploitation; the victim need only visit the crafted link while having a valid session with the application (if any). The payload executes in the context of the victim's browser. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information displayed on the page. The attacker gains the ability to perform actions on behalf of the victim within the application. [1]

Mitigation

No official patch or updated version has been released as of the publication date (2018-12-17). Administrators should consider input validation for these parameters, such as encoding or rejecting special characters, as a workaround. The product may be end-of-life or no longer supported. [1]