CVE-2021-46355

Vulnerability

OCS Inventory version 2.9.1 is affected by a stored cross-site scripting (XSS) vulnerability. The flaw resides in how the application handles device names (e.g., printer names) reported by inventory agents. When a attacker-controlled device sends a name containing malicious JavaScript, the unsanitized payload is stored in the database and later rendered without proper encoding on the OCS web console pages. [1]

Exploitation

Exploitation requires an attacker to have the ability to modify the name of a device that is inventoried by OCS Inventory. This could be achieved by an authenticated user with permission to edit device properties, or by a compromised agent sending crafted inventory data. The attacker replaces the legitimate device name with an XSS payload (e.g., ``). When an administrator or any user views the affected device in the OCS web interface, the stored script executes in the context of their browser session. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's OCS Inventory web application session. This can lead to session hijacking, defacement, phishing attacks, or redirection to malicious sites. The attack can compromise administrative accounts and the integrity of the inventory management system. The impact is limited to the web interface; the underlying server or agent data is not directly affected. [1]

Mitigation

As of the publication date (2022-02-11), no patch had been released for CVE-2021-46355. Users of OCS Inventory 2.9.1 are advised to manually sanitize device name input or implement a web application firewall (WAF) rule that blocks common XSS patterns. Organizations should also restrict access to the OCS web console to trusted networks only. [1]