CVE-2018-19811

Vulnerability

A reflected cross-site scripting vulnerability exists in InfoVista VistaPortal SE version 5.1 (build 51029). The page /VPortal/mgtconsole/Import.jsp does not properly sanitize the ConnPoolName parameter, allowing injection of arbitrary HTML and JavaScript. The vulnerable parameter is reflected directly into the response without encoding. [1]

Exploitation

An attacker can craft a malicious URL containing a payload in the ConnPoolName parameter and persuade a victim to click it. No authentication is required to trigger the vulnerability, as the vulnerable page is publicly accessible. The injected script executes in the context of the victim's session. [1]

Impact

Successful exploitation leads to arbitrary JavaScript execution in the victim's browser. This can be used to steal session cookies, perform actions on behalf of the victim, redirect to malicious sites, or deface the page. The impact is limited to the victim's browser session and does not compromise server-side data directly. [1]

Mitigation

As of the publication date (December 2018), no official patch has been released. Users should apply input validation and output encoding for the ConnPoolName parameter. Consider restricting access to the vulnerable page or upgrading to a newer version if available. [1]