CVE-2018-1000557
Description
OCS Inventory OCS Inventory NG version ocsreports 2.4 contains a Cross Site Scripting (XSS) vulnerability in login form and search functionality that can result in An attacker is able to execute arbitrary (javascript) code within a victims' browser. This attack appear to be exploitable via Victim must open a crafted link to the application. This vulnerability appears to have been fixed in ocsreports 2.4.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OCS Inventory NG ocsreports 2.4 has reflected XSS in login and search; arbitrary JS execution via crafted links. Fixed in 2.4.1.
Vulnerability
OCS Inventory NG ocsreports version 2.4 contains multiple reflected Cross-Site Scripting (XSS) vulnerabilities. The login form's USERID and Password fields are vulnerable to XSS [1]. Additionally, for logged-in users, the index.php script reflects arbitrary URL parameters within a JavaScript block, and the prov parameter is reflected within a hidden form field [1]. Older versions were not tested.
Exploitation
An attacker can exploit these vulnerabilities by tricking a victim into opening a crafted link to the OCS Inventory application or by entering a malicious payload into the login form [1]. For the login form, entering a payload like " onload="alert(42) in the username or password field triggers XSS. For the search functionality, a specially crafted URL such as http:///index.php?function=visu_search&prov=allsoft&value=somesoftware%&rk28e'-alert(1)-'js9gz=1 can cause arbitrary JavaScript execution [1]. No authentication is required for the login form XSS, but the search-related XSS requires the victim to be logged in.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript code within the victim's browser in the context of the OCS Inventory application [1]. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page.
Mitigation
The vulnerabilities are fixed in ocsreports version 2.4.1, released on April 5, 2018 [1]. Users should upgrade to version 2.4.1 or later. No workarounds were provided for versions prior to the fix.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 2.2, 2.2.1, 2.2RC1, …
- Range: <=2.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.ocsinventory-ng.org/en/ocs-inventory-server-2-4-1-has-been-released/mitrex_refsource_MISC
- www.secuvera.de/advisories/secuvera-SA-2017-03.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.