CVE-2018-25349
Description
userSpice 4.3.24 is vulnerable to stored XSS via the X-Forwarded-For header, allowing attackers to inject scripts that execute in admin audit logs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
userSpice 4.3.24 is vulnerable to stored XSS via the X-Forwarded-For header, allowing attackers to inject scripts that execute in admin audit logs.
## Vulnerability userSpice version 4.3.24 (and possibly earlier) contains a cross-site scripting (XSS) vulnerability in the backup.php endpoint. The application logs the X-Forwarded-For HTTP header without proper sanitization, storing it in the audit log. When an administrator views the audit log page, the stored payload is executed in the browser. [1][2]
Exploitation
An attacker can send a crafted GET request to /users/cron/backup.php?from=users/cron_manager.php/ with a malicious JavaScript payload in the X-Forwarded-For header. No authentication is required for the request, but the payload only triggers when an authenticated administrator visits the audit log page. The provided PoC uses a Perl script to send the request. [2]
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the administrator's browser session. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the admin panel. The attack is limited to the administrator's browser and does not directly compromise the server. [1]
Mitigation
As of the available references, no official patch has been released for userSpice 4.3.24. Users should consider upgrading to a newer version if available, or apply input sanitization on the X-Forwarded-For header in the backup.php endpoint. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. [1][2]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization of the X-Forwarded-For HTTP header before storing it in audit logs, and missing output encoding when rendering audit log entries."
Attack vector
An attacker sends a crafted GET request to the `backup.php` endpoint (e.g., `/users/cron/backup.php?from=users/cron_manager.php/`) with a malicious JavaScript payload in the `X-Forwarded-For` HTTP header [ref_id=1]. The payload is stored in the application's audit logs. When an administrator later visits the audit log page, the unsanitized payload executes in the administrator's browser context, leading to cross-site scripting [ref_id=1].
Affected code
The vulnerability exists in the `backup.php` endpoint located at `users/cron/backup.php`. The application logs the `X-Forwarded-For` HTTP header value without sanitization, and this logged value is later rendered unsafely on the audit log page.
What the fix does
No patch is included in the bundle. The advisory does not specify a fix, but the remediation would require sanitizing or encoding the `X-Forwarded-For` header value before storing it in the audit log, and escaping the value when rendering it on the audit log page to prevent script execution.
Preconditions
- configThe application must be userSpice version 4.3.24
- inputAn administrator must visit the audit log page where the payload is rendered
- networkThe attacker must be able to send HTTP requests to the backup.php endpoint
Reproduction
1. Run the provided Perl script: `perl exploit.pl
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.