← back
CVE-2018-25349

userSpice 4.3.24 Cross-Site Scripting via X-Forwarded-For Header

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79
userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Attackers can send crafted requests to the backup.php endpoint with XSS payloads in the X-Forwarded-For header that execute when administrators visit the audit log page.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
UserSpice · userSpice
public PoCs found1
cve_referencewww.exploit-db.com/exploits/44871unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.exploit-db.com/exploits/44871https://www.vulncheck.com/advisories/userspice-cross-site-scripting-via-x-forwarded-for-header