Affected Products OCSInventory-ocsreports 2.4 (older releases have not been tested) References https://www.secuvera.de/advisories/secuvera-SA-2017-03.txt (used for updates) https://www.ocsinventory-ng.org/en/ocs-inventory-server-2-4-1-has-been-released/ (Release announcement of OCS Inventory 2.4.1) Summary: Open Computer and Software Inventory Next Generation (OCS inventory NG) is free software that enables users to inventory IT assets. (Source: Wikipedia) OCS Reports for OCS Inventory is a web application to manage the OCS Inventory Server and Clients. The web application is prone to reflected Cross-Site-Scripting (XSS) attacks. Effect: An attacker is able to execute arbitrary (javascript) code within a victims' browser by luring a victim to click on a link containing malicious code Vulnerable Scripts: 1) anonymous: USERID and Password field of login page are vulnerable 2) logged in user: index.php: arbitrary supplied URL parameters will get included within a javascript block. 3) logged in user: index.php: parameter "prov" will get included within a hidden page form field Examples: 1) Enter the following payload into login form: " onload="alert(42); 2) http://<ip>/index.php?function=visu_search&prov=allsoft&value=somesoftware%&rk28e'-alert(1)-'js9gz=1 3) http://<ip>/index.php?function=visu_search&prov=allsoftfrsk4'accesskey%3d'x'onclick%3d'alert(1)'%2f%2fqqy1d&value=<name_of_software> Solution: Install OCS Inventory Release 2.4.1 or newer. Disclosure Timeline: 2017/12/15 vendor contacted, asked for security contact information 2018/01/02 contacted vendor again after no answer was received so far 2018/01/02 response of responsible contact 2018/01/22 Sent technical details 2018/02/12 Developer replied proposing fix 2018/03/28 Developer contacted us to announce the upcoming release 2018/04/05 OCS Version 2.4.1 was released 2018/08/09 Release of the security advisory Credits Simon Bieber, secuvera GmbH sbieber@xxxxxxxxxxx https://www.secuvera.de Thanks to: Michael Hermann, secuvera GmbH for his support! Gilles Dubois and Damien Belliard, factorfx for fixing this issue! Disclaimer: All information is provided without warranty. The intent is to provide informa- tion to secure infrastructure and/or systems, not to be able to attack or damage. Therefore secuvera shall not be liable for any direct or indirect damages that might be caused by using this information.