CVE-2019-12863: 
SolarWinds Platform vulnerability analysis and mitigation

CVE-2019-12863 affects SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4). The vulnerability allows Stored HTML Injection by administrators via the Web Console Settings screen. This vulnerability was discovered and reported in 2019 and was officially published on February 25, 2020 (NVD).

The vulnerability is a Stored HTML Injection that occurs when user input is not correctly sanitized and the output is not encoded in the Web Console Settings screen. The vulnerability has been assigned a CVSS v3.1 score of 4.8 MEDIUM and a CVSS v2.0 score of 3.5 LOW (NVD).

This vulnerability can allow an attacker to modify page content seen by victims, potentially redirect users to malicious sites, or inject arbitrary HTML code into the vulnerable web page. The impact is limited as it requires administrator access to exploit (ESec Forte).

The recommended mitigations include properly escaping all untrusted data based on the HTML context, implementing positive or white-list input validation, using HTML & URL encoding for applications which accept special characters and meta tags, and implementing both client-side and server-side validation (ESec Forte).