Description
userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Attackers can send crafted requests to the backup.php endpoint with XSS payloads in the X-Forwarded-For header that execute when administrators visit the audit log page.
Published: 2026-05-23
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in userSpice 4.3.24, specifically in the backup.php endpoint. Malicious payloads injected through the X-Forwarded-For HTTP header are reflected and executed when administrators view the audit log page. This allows an attacker to run arbitrary JavaScript in the context of the administrator’s browser, potentially stealing session cookies or performing other malicious actions. Attackers do not need privileged credentials; they simply craft a request with a malicious header.

Affected Systems

UserSpice userSpice version 4.3.24. No other product versions are listed, so the risk is confined to installations running that exact version. Administrators of userSpice deployments should verify if they are running 4.3.24 and plan an update accordingly.

Risk and Exploitability

The CVSS v3.1 score is 5.1, indicating medium severity. Because the flaw is remotely exploitable over HTTP, an attacker can target the exposed web interface without authentication. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, which reduces the confidence that it is actively exploited in the wild. Nonetheless, any admin using the audit log with XSS payloads could execute arbitrary code in the admin’s browser, so the risk to confidentiality and integrity of the admin session is significant. The attack vector is remote, via crafted HTTP requests to the backup.php endpoint.

Generated by OpenCVE AI on May 23, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a UserSpice release newer than 4.3.24 that removes the flaw.
  • If an update cannot be applied immediately, configure the web server or reverse proxy to strip or sanitize the X-Forwarded-For header for requests to backup.php or the audit log so that payloads cannot reach the application.
  • Implement input validation or sanitization for header values before they are rendered in the audit log to neutralize any injected scripts.

Generated by OpenCVE AI on May 23, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Attackers can send crafted requests to the backup.php endpoint with XSS payloads in the X-Forwarded-For header that execute when administrators visit the audit log page.
Title userSpice 4.3.24 Cross-Site Scripting via X-Forwarded-For Header
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-24T01:36:19.521Z

Reserved: 2026-05-23T15:33:04.251Z

Link: CVE-2018-25349

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T19:30:25Z

Weaknesses