Reflected XSS in SolarWinds Database Performance Analyzer
Just a short post from me today, bringing you a pretty simple XSS issue.
In version 11.1.457 of SolarWinds Database Performance Analyzer, there is a Reflected Cross-Site Scripting vulnerability in the ‘idcStateError.iwc’ error page. This was assigned CVE-2018–19386 and has been addressed in version 12.1. However, versions below 11.1.457 may also be vulnerable, as it is unknown when the vulnerability was originally introduced.
The following HTTP Request and response show how the issue is triggered and the results:
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Mon, 19 Nov 2018 18:46:00 GMT