Stored Cross-Site Scripting in SolarWinds Network Performance Monitor
CVE-2019-12954

5.4MEDIUM

Key Information:

Vendor: Solarwinds
Status: Network Performance Monitor Orion Platform 2018 Netpath; Network Performance Monitor Orion Platform 2018 Npm
Vendor: CVE Published:; 17 February 2020

Summary

The SolarWinds Network Performance Monitor (NPM) is affected by a stored Cross-Site Scripting (XSS) vulnerability that allows authenticated users to inject malicious scripts via a crafted onerror attribute in a VIDEO element. This vulnerability, present in the Orion Platform 2018, NPM 12.3, and NetPath 1.1.3, can be exploited in actions related to alerts, potentially compromising user data and security upon triggering the alert mechanism.

References

https://www.esecforte.com/cve-2019-12954-solarwinds-netwo...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 17, 2020
Vulnerability Reserved
Jun 24, 2019