Charleneauger

**Name of the Vulnerable Software and Affected Versions** OCS Inventory NG Server versions 2.12.3 and prior **Description** OCS Inventory NG Server versions 2.12.3 and prior contain a stored cross-site scripting issue. Unauthenticated attackers can execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the `/ocsinventory` API endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values. These values are stored without proper sanitation and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard. **Recommendations** Update OCS Inventory NG Server to a version later than 2.12.3.