OCSInventory 2.12.0 - Stored XSS
4,9
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
OCSInventory-ocsreports 2.12.0 - Stored cross-site Scripting
Code name
State
Private
Release date
11 ago 2023
Affected product
OCSInventory
Affected version(s)
Version 2.12.0
Vulnerability name
Stored cross-site Scripting
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS v3.1 base score
4.9
Exploit available
Yes
CVE ID(s)
Description
OCSInventory allow stored email template with special characters that lead to a Stored cross-site Scripting.
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in OCSInventory-ocsreports, which could potentially allow an attacker to steal sensitive data such as session cookies. It is also possible to steal the password hash if the attacker changes the server state to debug, this due to the server in debug mode displaying the hash.This could be exploited if the target is an administrator with a current login session.
Exploitation
To exploit this vulnerability we need to go to the Portal of ocsreports -> Configuration -> Notification -> Customize Template and Upload a HTML file with our payload:
Note that only administrators can make changes to the mail template.
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2023-3726 to refer to this issue from now on. Disclosure policy
System Information
Version: OCSInventory-ocsreports v2.12.0
Operating System: Linux
Mitigation
An updated version of OCSInventory-ocsreports is available at the vendor page.
References
Vendor page https://ocsinventory-ng.org/
Timeline
IA generativa
17 jul 2023
Vendor Confirmed Vuln.
20 jul 2023
Vulnerability patched
11 ago 2023
Vendor contacted
17 jul 2023
Vendor replied
20 jul 2023
Public disclosure
11 ago 2023
