Primary

Context

OCS Inventory NG Server Stored Cross-Site Scripting Vulnerability via User-Agent

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in OCS Inventory NG Server versions through 2.12.3. This vulnerability allows unauthenticated attackers to execute arbitrary JavaScript by sending malicious User-Agent HTTP headers to the /ocsinventory endpoint. The injected scripts are stored without proper sanitation and are displayed with inadequate encoding in the web console. This leads to the execution of arbitrary JavaScript in the browsers of authenticated users who are viewing the statistics dashboard.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the statistics dashboard.

Remediation

Users can update to the latest version of OCS Inventory NG Server to address this vulnerability.

Added: Apr 6, 2026, 10:30 PM

Updated: Apr 6, 2026, 10:30 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

1.7

exploitability

6.7

remediation

7.7

relevance

5.4

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

1.7

exploitability

6.7

remediation

7.7

relevance

5.4

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OCS Inventory NG Server Stored Cross-Site Scripting Vulnerability via User-Agent

Vulnerability

Impact

Remediation

Affected Products

OCS Inventory NG Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating