2054395 – (CVE-2021-46355) CVE-2021-46355 ocsinventory: Stored XSS via device name

Bug 2054395 (CVE-2021-46355) - CVE-2021-46355 ocsinventory: Stored XSS via device name

Summary: CVE-2021-46355 ocsinventory: Stored XSS via device name

Keywords:
Status:	NEW
Alias:	CVE-2021-46355
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2054393
TreeView+	depends on / blocked

Reported:	2022-02-14 21:12 UTC by Todd Cullum
Modified:	2023-07-07 08:30 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Todd Cullum 2022-02-14 21:12:32 UTC

OCS Inventory 2.9.1 is affected by Cross Site Scripting (XSS). To exploit the vulnerability, the attacker needs to manipulate the name of some device on your computer, such as a printer, replacing the device name with some malicious code that allows the execution of Stored Cross-site Scripting (XSS).

References:
http://ocs.com
https://medium.com/@windsormoreira/ocs-inventory-2-9-1-cross-site-scripting-xss-cve-2021-46355-a88d72606b7e

Note You need to log in before you can comment on or make changes to this bug.