Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitation and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard.
AnalysisAI
Stored cross-site scripting in OCS Inventory NG Server 2.12.3 and prior allows unauthenticated attackers to inject malicious JavaScript via User-Agent HTTP headers to the /ocsinventory endpoint, which is then stored and executed in the browsers of authenticated users viewing the statistics dashboard. The vulnerability requires user interaction (dashboard access) but affects all instances accepting agent registrations without input validation, creating a persistent attack surface for multi-user deployments.
Technical ContextAI
OCS Inventory NG Server is a network asset management and inventory solution that processes HTTP requests from inventory agents. The vulnerability stems from improper input validation and output encoding of the User-Agent HTTP header field. When unauthenticated agents submit requests to the /ocsinventory endpoint with malicious User-Agent values, the application stores these values in a database without sanitization (CWE-79: Improper Neutralization of Input During Web Page Generation). Subsequently, when authenticated administrators or operators view the statistics dashboard that displays agent information, the unsanitized User-Agent strings are rendered in the HTML response with insufficient character encoding, allowing embedded JavaScript to execute in the victim's browser context. The attack leverages the fact that User-Agent headers are typically trusted input vectors and the application's failure to apply context-appropriate output encoding (such as HTML entity encoding) when rendering user-supplied data in web pages.
RemediationAI
Upgrade OCS Inventory NG Server to a patched version released after commit 78faf2ca8b897141ba4d337d75692ab8e405bd4e. The upstream fix is available in the repository pull request at https://github.com/OCSInventory-NG/OCSInventory-Server/pull/483 and commit https://github.com/OCSInventory-NG/OCSInventory-Server/commit/78faf2ca8b897141ba4d337d75692ab8e405bd4e. Check the OCS Inventory NG releases page for the next patched version number following 2.12.3 and apply it. In the interim, network-based mitigations include restricting access to the /ocsinventory endpoint to trusted agent networks via firewall rules, implementing Web Application Firewall (WAF) rules to reject User-Agent headers containing script-like patterns or HTML special characters, and disabling untrusted agent registration capabilities if operationally feasible. Audit existing agent records for suspicious User-Agent entries and remove rogue agents.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19484
GHSA-xwcw-3qx7-8hxm