CVE-2018-25349

Description

userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Attackers can send crafted requests to the backup.php endpoint with XSS payloads in the X-Forwarded-For header that execute when administrators visit the audit log page.

References

• https://www.exploit-db.com/exploits/44871
• https://www.vulncheck.com/advisories/userspice-cross-site-scripting-via-x-forwarded-for-header