FOG Project Stored Cross-Site Scripting Vulnerability in Multiple Management Pages

A stored cross-site scripting vulnerability has been identified in FOG Project versions prior to 1.5.10.1812. This issue affects the listing tables on several management pages, including Host, Storage, Group, Image, Printer, and Snapin. The vulnerability arises from inadequate server-side parameter sanitization during record creation and updates, coupled with a lack of HTML escaping in the listing tables. As a result, an attacker can inject malicious scripts that are executed in the context of the user viewing the page, potentially leading to session hijacking, unauthorized actions, data exfiltration, and execution of malicious scripts in the user's browser.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected management page. This could lead to session hijacking, unauthorized actions on behalf of the administrator, exfiltration of sensitive data, and execution of malicious scripts in the user's browser.

Reproduction

To reproduce this vulnerability, log into the FOG Project management interface and navigate to any of the affected management pages (Host, Storage, Group, Image, Printer, Snapin). Enter a script payload into a field that does not have proper input sanitization, such as 'Friendly Name' in User Management or 'Group Name' in Group Management. Submit the form, and the injected script will be executed when the page is viewed.

Remediation

Users can update to FOG Project version 1.5.10.1812 or later to address this vulnerability.