CVE-2018-19386

Name of the Vulnerable Software and Affected Versions SolarWinds Database Performance Analyzer version 11.1.457

Description The issue concerns a Reflected XSS in the idcStateError component. Specifically, the page parameter is reflected into the HREF of the 'Try Again' Button on the page, which can be exploited through a /iwc/idcStateError.iwc?page= URI.

Recommendations For SolarWinds Database Performance Analyzer version 11.1.457, consider disabling the idcStateError component or restricting access to the /iwc/idcStateError.iwc endpoint until a patch is available. Avoid using the page parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.