PT-2020-9352 · Solarwinds · Solarwinds Network Performance Monitor+1

Published

2020-02-17

Updated

2020-02-28

CVE-2019-12954

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions: SolarWinds Network Performance Monitor versions 2018, NPM 12.3, NetPath 1.1.3

Description: The issue allows cross-site scripting (XSS) by authenticated users. This is achieved via a crafted onerror attribute of a VIDEO element in an action for an ALERT.

Recommendations: For SolarWinds Network Performance Monitor versions 2018, NPM 12.3, NetPath 1.1.3, consider restricting access to the ALERT action to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the onerror attribute in VIDEO elements within ALERT actions.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-12954

Affected Products

Netpath

Solarwinds Network Performance Monitor

PT-2020-9352 · Solarwinds · Solarwinds Network Performance Monitor+1

CVE-2019-12954

Weakness Enumeration

Related Identifiers

Affected Products

References · 3