Vulnerability Note VU#203844
SolarWinds Orion IPAM web interface reflected xss vulnerability
SolarWinds Orion IPAM web interface contains a reflected cross-site scripting vulnerability.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
SolarWinds Orion IPAM web interface contains a reflected cross-site scripting vulnerability. It has been reported that input fields are not sanitized allowing for authenticated users to execute scripts against the SolarWinds Orion IPAM web interface
1. http://[server name]/Orion/IPAM/IPAMSummaryView.aspx
2. Enter the following in the "Search for an IP address" field: "></script><script>alert('hi')</script>
3. Click Search, which will redirect you to the following URL:http://[server name]/Orion/IPAM/search.aspx?q=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27hi%27%29%3C%2Fscript%3E
An attacker with access to the SolarWinds Orion IPAM web interface can conduct a reflected cross-site scripting attack, which could be used to result in information leakage, privilege escalation, and/or denial of service.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|SOLARWINDS||Affected||02 Aug 2012||31 Oct 2012|
CVSS Metrics (Learn More)
Thanks to Anthony Trummer for reporting this vulnerability.
This document was written by Michael Orlando.
- CVE IDs: CVE-2012-4939
- Date Public: 31 Oct 2012
- Date First Published: 31 Oct 2012
- Date Last Updated: 31 Oct 2012
- Document Revision: 10
If you have feedback, comments, or additional information about this vulnerability, please send us email.