Open Computer and Software Inventory Next Generation is an application designed to help a network or system administrator keep track of the computers configuration and software that are installed on the network. OCS Inventory is also able to detect all active devices on your network, such as switch, router, network printer and unattended devices. OCS Inventory NG includes package deployment feature on client computers. ocsinventory is a metapackage that will install the communication server, the administration console and the database server (MySQL).
{"id": "FEDORA:D7625218D8", "vendorId": null, "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 15 Update: ocsinventory-1.3.3-5.fc15", "description": "Open Computer and Software Inventory Next Generation is an application designed to help a network or system administrator keep track of the computers configuration and software that are installed on the network. OCS Inventory is also able to detect all active devices on your network, such as switch, router, network printer and unattended devices. OCS Inventory NG includes package deployment feature on client computers. ocsinventory is a metapackage that will install the communication server, the administration console and the database server (MySQL). ", "published": "2011-11-14T00:53:53", "modified": "2011-11-14T00:53:53", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {}, "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WP3BJYZSFGNHKZEXVTEMBH4PRGCBTQ5Z/", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2011-4024"], "immutableFields": [], "lastseen": "2020-12-21T08:17:50", "viewCount": 3, "enchantments": {"dependencies": {}, "score": {"value": 6.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2011-4024"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2011-4024"]}, {"type": "fedora", "idList": ["FEDORA:DF3F620E88"]}, {"type": "nessus", "idList": ["FEDORA_2011-14963.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:863831"]}]}, "exploitation": null, "vulnersScore": 6.4}, "_state": {"dependencies": 0}, "_internal": {}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "15", "arch": "any", "packageName": "ocsinventory", "packageVersion": "1.3.3", "packageFilename": "UNKNOWN", "operator": "lt"}]}
{"exploitpack": [{"lastseen": "2020-04-01T19:04:38", "description": "\nOCS Inventory NG 2.0.1 - Persistent Cross-Site Scripting", "edition": 2, "cvss3": {}, "published": "2011-10-20T00:00:00", "title": "OCS Inventory NG 2.0.1 - Persistent Cross-Site Scripting", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4024"], "modified": "2011-10-20T00:00:00", "id": "EXPLOITPACK:1887D945BE32BF5148C0A523C655176E", "href": "", "sourceData": "OCS Inventory NG 2.0.1 - Persistent XSS (CVE-2011-4024)\n-------------------------------------------------------\n\nSoftware : Open Computer and Software (OCS) Inventory NG\nDownload : http://www.ocsinventory-ng.org/\nDiscovered by : Nicolas DEROUET (nicolas.derouet[gmail]com)\nDiscover : 2011-10-04\nPublished : 2011-10-05\nVersion : 2.0.1 and prior\nImpact : Persistent XSS\nRemote : Yes (No authentication is needed)\nCVE-ID : CVE-2011-4024\n\n\nInfo\n----\n\nOpen Computer and Software (OCS) Inventory Next Generation (NG) is an\napplication designed to help a network or system administrator keep track\nof the computers configuration and software that are installed on the network.\n\n\nDetails\n-------\n\nThe vulnerability is in the data sent by the agent OCS. The inventory service\nand the admin panel does not control the data received. An attacker could inject\nmalicous HTML/JS through into the inventory information (eg. the computer\ndescription field under WinXP). This data is printed in the admin panel wich\ncan lead to a session hijack or whatever you want.\n\n\nPoC\n---\n\n1. Enter the XSS script (eg. <script>alert(String.fromCharCode(88,83,83))</script>)\n in the computer description field. (WinXP > System Properties > Computer\n Name > Computer Description)\n \n2. Launch an inventory with OCS Agent\n\n3. Go on the admin panel (http://SERVER/ocsreports/)\n\n4. View your computer detail \n\nTested on : OCS Agent 2.0.1 (WinXP SP3) and OCS Server 2.0.1 (Windows).\nNot tested on : Linux Plateform and GLPI (OCS import)\n\n\nSolution\n--------\n\nUpgrade to OCS Inventory NG 2.0.2", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2021-08-19T12:59:43", "description": "Fix a XSS vulnerability\n----------------------------------------------------------------------\n-----=\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2011-11-14T00:00:00", "type": "nessus", "title": "Fedora 15 : ocsinventory-1.3.3-5.fc15 (2011-15007)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-4024"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:ocsinventory", "cpe:/o:fedoraproject:fedora:15"], "id": "FEDORA_2011-15007.NASL", "href": "https://www.tenable.com/plugins/nessus/56792", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-15007.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56792);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-4024\");\n script_bugtraq_id(50011);\n script_xref(name:\"FEDORA\", value:\"2011-15007\");\n\n script_name(english:\"Fedora 15 : ocsinventory-1.3.3-5.fc15 (2011-15007)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix a XSS vulnerability\n----------------------------------------------------------------------\n-----=\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=748072\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-November/069293.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ef981648\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected ocsinventory package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:ocsinventory\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:15\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/11/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^15([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 15.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC15\", reference:\"ocsinventory-1.3.3-5.fc15\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ocsinventory\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-08-19T12:59:39", "description": "Fix a XSS vulnerability\n----------------------------------------------------------------------\n-----=\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2011-11-14T00:00:00", "type": "nessus", "title": "Fedora 14 : ocsinventory-1.3.3-5.fc14 (2011-14963)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-4024"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:ocsinventory", "cpe:/o:fedoraproject:fedora:14"], "id": "FEDORA_2011-14963.NASL", "href": "https://www.tenable.com/plugins/nessus/56790", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-14963.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56790);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-4024\");\n script_bugtraq_id(50011);\n script_xref(name:\"FEDORA\", value:\"2011-14963\");\n\n script_name(english:\"Fedora 14 : ocsinventory-1.3.3-5.fc14 (2011-14963)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix a XSS vulnerability\n----------------------------------------------------------------------\n-----=\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=748072\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-November/069280.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?616a3a53\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected ocsinventory package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:ocsinventory\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:14\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/11/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^14([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 14.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC14\", reference:\"ocsinventory-1.3.3-5.fc14\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ocsinventory\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-08-19T12:59:40", "description": "Fix a XSS vulnerability\n----------------------------------------------------------------------\n-----=\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": null, "vector": null}, "published": "2011-11-07T00:00:00", "type": "nessus", "title": "Fedora 16 : ocsinventory-1.3.3-5.fc16 (2011-14923)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-4024"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:ocsinventory", "cpe:/o:fedoraproject:fedora:16"], "id": "FEDORA_2011-14923.NASL", "href": "https://www.tenable.com/plugins/nessus/56718", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2011-14923.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(56718);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2011-4024\");\n script_bugtraq_id(50011);\n script_xref(name:\"FEDORA\", value:\"2011-14923\");\n\n script_name(english:\"Fedora 16 : ocsinventory-1.3.3-5.fc16 (2011-14923)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix a XSS vulnerability\n----------------------------------------------------------------------\n-----=\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=748072\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2011-November/068762.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b9d10489\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected ocsinventory package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:ocsinventory\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/11/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"ocsinventory-1.3.3-5.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ocsinventory\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2017-07-25T10:55:31", "description": "Check for the Version of ocsinventory", "cvss3": {}, "published": "2011-11-14T00:00:00", "type": "openvas", "title": "Fedora Update for ocsinventory FEDORA-2011-14963", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-4024"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:863616", "href": "http://plugins.openvas.org/nasl.php?oid=863616", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for ocsinventory FEDORA-2011-14963\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Open Computer and Software Inventory Next Generation is an application\n designed to help a network or system administrator keep track of the\n computers configuration and software that are installed on the network.\n\n OCS Inventory is also able to detect all active devices on your network,\n such as switch, router, network printer and unattended devices.\n\n OCS Inventory NG includes package deployment feature on client computers.\n\n ocsinventory is a metapackage that will install the communication server,\n the administration console and the database server (MySQL).\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"ocsinventory on Fedora 14\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069280.html\");\n script_id(863616);\n script_version(\"$Revision: 6626 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:30:10 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-11-14 10:47:59 +0530 (Mon, 14 Nov 2011)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2011-14963\");\n script_cve_id(\"CVE-2011-4024\");\n script_name(\"Fedora Update for ocsinventory FEDORA-2011-14963\");\n\n script_summary(\"Check for the Version of ocsinventory\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"ocsinventory\", rpm:\"ocsinventory~1.3.3~5.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2020-07-21T22:06:37", "description": "This host is running OCS Inventory NG and is prone to cross site\n scripting vulnerability.", "cvss3": {}, "published": "2011-11-15T00:00:00", "type": "openvas", "title": "OCS Inventory NG Persistent Cross-site Scripting Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-4024"], "modified": "2020-07-03T00:00:00", "id": "OPENVAS:1361412562310902749", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902749", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# OCS Inventory NG Persistent Cross-site Scripting Vulnerability\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ocsinventory-ng:ocs_inventory_ng\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902749\");\n script_version(\"2020-07-03T07:18:20+0000\");\n script_cve_id(\"CVE-2011-4024\");\n script_bugtraq_id(50011);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-07-03 07:18:20 +0000 (Fri, 03 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-11-15 16:35:51 +0530 (Tue, 15 Nov 2011)\");\n\n script_name(\"OCS Inventory NG Persistent Cross-site Scripting Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/46311\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/70406\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/18005/\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_ocs_inventory_ng_detect.nasl\");\n script_mandatory_keys(\"ocs_inventory_ng/detected\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to certain system information passed via a 'POST' request\n to '/ocsinventory' is not properly sanitised before being used.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to OCS Inventory NG version 2.0.2 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"summary\", value:\"This host is running OCS Inventory NG and is prone to cross site\n scripting vulnerability.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to insert arbitrary HTML\n and script code, which will be executed in a user's browser session in\n context of an affected site when the malicious data is being viewed.\");\n\n script_tag(name:\"affected\", value:\"OCS Inventory NG version 2.0.1 and prior\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nvers = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif (version_is_less(version: vers, test_version: \"2.0.2\")) {\n report = report_fixed_ver(installed_version: vers, fixed_version: \"2.0.2\", install_path: location);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:39:37", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2011-11-14T00:00:00", "type": "openvas", "title": "Fedora Update for ocsinventory FEDORA-2011-15007", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-4024"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310863614", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310863614", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for ocsinventory FEDORA-2011-15007\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069293.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.863614\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-11-14 10:47:57 +0530 (Mon, 14 Nov 2011)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name:\"FEDORA\", value:\"2011-15007\");\n script_cve_id(\"CVE-2011-4024\");\n script_name(\"Fedora Update for ocsinventory FEDORA-2011-15007\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ocsinventory'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC15\");\n script_tag(name:\"affected\", value:\"ocsinventory on Fedora 15\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC15\")\n{\n\n if ((res = isrpmvuln(pkg:\"ocsinventory\", rpm:\"ocsinventory~1.3.3~5.fc15\", rls:\"FC15\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2018-01-06T13:07:18", "description": "Check for the Version of ocsinventory", "cvss3": {}, "published": "2012-03-19T00:00:00", "type": "openvas", "title": "Fedora Update for ocsinventory FEDORA-2011-14923", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-4024"], "modified": "2018-01-04T00:00:00", "id": "OPENVAS:863831", "href": "http://plugins.openvas.org/nasl.php?oid=863831", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for ocsinventory FEDORA-2011-14923\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Open Computer and Software Inventory Next Generation is an application\n designed to help a network or system administrator keep track of the\n computers configuration and software that are installed on the network.\n\n OCS Inventory is also able to detect all active devices on your network,\n such as switch, router, network printer and unattended devices.\n\n OCS Inventory NG includes package deployment feature on client computers.\n\n ocsinventory is a metapackage that will install the communication server,\n the administration console and the database server (MySQL).\";\n\ntag_affected = \"ocsinventory on Fedora 16\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2011-November/068762.html\");\n script_id(863831);\n script_version(\"$Revision: 8285 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-04 07:29:16 +0100 (Thu, 04 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-03-19 12:22:03 +0530 (Mon, 19 Mar 2012)\");\n script_cve_id(\"CVE-2011-4024\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2011-14923\");\n script_name(\"Fedora Update for ocsinventory FEDORA-2011-14923\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of ocsinventory\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"ocsinventory\", rpm:\"ocsinventory~1.3.3~5.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:55:55", "description": "Check for the Version of ocsinventory", "cvss3": {}, "published": "2011-11-14T00:00:00", "type": "openvas", "title": "Fedora Update for ocsinventory FEDORA-2011-15007", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-4024"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:863614", "href": "http://plugins.openvas.org/nasl.php?oid=863614", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for ocsinventory FEDORA-2011-15007\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Open Computer and Software Inventory Next Generation is an application\n designed to help a network or system administrator keep track of the\n computers configuration and software that are installed on the network.\n\n OCS Inventory is also able to detect all active devices on your network,\n such as switch, router, network printer and unattended devices.\n\n OCS Inventory NG includes package deployment feature on client computers.\n\n ocsinventory is a metapackage that will install the communication server,\n the administration console and the database server (MySQL).\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"ocsinventory on Fedora 15\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069293.html\");\n script_id(863614);\n script_version(\"$Revision: 6626 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:30:10 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-11-14 10:47:57 +0530 (Mon, 14 Nov 2011)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"FEDORA\", value: \"2011-15007\");\n script_cve_id(\"CVE-2011-4024\");\n script_name(\"Fedora Update for ocsinventory FEDORA-2011-15007\");\n\n script_summary(\"Check for the Version of ocsinventory\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC15\")\n{\n\n if ((res = isrpmvuln(pkg:\"ocsinventory\", rpm:\"ocsinventory~1.3.3~5.fc15\", rls:\"FC15\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-09-04T14:20:08", "description": "This host is running OCS Inventory NG and is prone to cross site\n scripting vulnerability.", "cvss3": {}, "published": "2011-11-15T00:00:00", "type": "openvas", "title": "OCS Inventory NG Persistent Cross-site Scripting Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-4024"], "modified": "2017-09-01T00:00:00", "id": "OPENVAS:902749", "href": "http://plugins.openvas.org/nasl.php?oid=902749", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ocs_inventory_ng_xss_vuln.nasl 7044 2017-09-01 11:50:59Z teissa $\n#\n# OCS Inventory NG Persistent Cross-site Scripting Vulnerability\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow remote attackers to insert arbitrary HTML\n and script code, which will be executed in a user's browser session in\n context of an affected site when the malicious data is being viewed.\n Impact Level: Application/System\";\ntag_affected = \"OCS Inventory NG version 2.0.1 and prior\";\n\ntag_insight = \"The flaw exists due to certain system information passed via a 'POST' request\n to '/ocsinventory' is not properly sanitised before being used.\";\ntag_solution = \"Upgrade to OCS Inventory NG version 2.0.2 or later\n For updates refer to http://www.ocsinventory-ng.org/fr/\";\ntag_summary = \"This host is running OCS Inventory NG and is prone to cross site\n scripting vulnerability.\";\n\nif(description)\n{\n script_id(902749);\n script_version(\"$Revision: 7044 $\");\n script_cve_id(\"CVE-2011-4024\");\n script_bugtraq_id(50011);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-09-01 13:50:59 +0200 (Fri, 01 Sep 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-11-15 16:35:51 +0530 (Tue, 15 Nov 2011)\");\n script_name(\"OCS Inventory NG Persistent Cross-site Scripting Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/46311\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/70406\");\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/18005/\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_ocs_inventory_ng_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"version_func.inc\");\n\nocsPort = get_http_port(default:80);\nif(!get_port_state(ocsPort)){\n exit(0);\n}\n\n## Get version from KB\nif(!ocsVer = get_version_from_kb(port:ocsPort,app:\"OCS_Inventory_NG\")){\n exit(0);\n}\n\n## Check OCS Inventory NG version < 2.0.2\nif(version_is_less(version:ocsVer, test_version:\"2.0.2\")){\n security_message(ocsPort);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-05-29T18:38:54", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2012-03-19T00:00:00", "type": "openvas", "title": "Fedora Update for ocsinventory FEDORA-2011-14923", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-4024"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310863831", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310863831", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for ocsinventory FEDORA-2011-14923\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2011-November/068762.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.863831\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-03-19 12:22:03 +0530 (Mon, 19 Mar 2012)\");\n script_cve_id(\"CVE-2011-4024\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name:\"FEDORA\", value:\"2011-14923\");\n script_name(\"Fedora Update for ocsinventory FEDORA-2011-14923\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ocsinventory'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC16\");\n script_tag(name:\"affected\", value:\"ocsinventory on Fedora 16\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"ocsinventory\", rpm:\"ocsinventory~1.3.3~5.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:40:00", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2011-11-14T00:00:00", "type": "openvas", "title": "Fedora Update for ocsinventory FEDORA-2011-14963", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-4024"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310863616", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310863616", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for ocsinventory FEDORA-2011-14963\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069280.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.863616\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-11-14 10:47:59 +0530 (Mon, 14 Nov 2011)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_xref(name:\"FEDORA\", value:\"2011-14963\");\n script_cve_id(\"CVE-2011-4024\");\n script_name(\"Fedora Update for ocsinventory FEDORA-2011-14963\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ocsinventory'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC14\");\n script_tag(name:\"affected\", value:\"ocsinventory on Fedora 14\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"ocsinventory\", rpm:\"ocsinventory~1.3.3~5.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:19", "description": "", "cvss3": {}, "published": "2011-10-20T00:00:00", "type": "packetstorm", "title": "OCS Inventory NG 2.0.1 Cross Site Scripting", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-4024"], "modified": "2011-10-20T00:00:00", "id": "PACKETSTORM:106040", "href": "https://packetstormsecurity.com/files/106040/OCS-Inventory-NG-2.0.1-Cross-Site-Scripting.html", "sourceData": "`OCS Inventory NG 2.0.1 Persistent XSS (CVE-2011-4024) \n------------------------------------------------------- \n \nSoftware : Open Computer and Software (OCS) Inventory NG \nDownload : http://www.ocsinventory-ng.org/ \nDiscovered by : Nicolas DEROUET (nicolas.derouet[gmail]com) \nDiscover : 2011-10-04 \nPublished : 2011-10-05 \nVersion : 2.0.1 and prior \nImpact : Persistent XSS \nRemote : Yes (No authentication is needed) \nCVE-ID : CVE-2011-4024 \n \n \nInfo \n---- \n \nOpen Computer and Software (OCS) Inventory Next Generation (NG) is an \napplication designed to help a network or system administrator keep track \nof the computers configuration and software that are installed on the network. \n \n \nDetails \n------- \n \nThe vulnerability is in the data sent by the agent OCS. The inventory service \nand the admin panel does not control the data received. An attacker could inject \nmalicous HTML/JS through into the inventory information (eg. the computer \ndescription field under WinXP). This data is printed in the admin panel wich \ncan lead to a session hijack or whatever you want. \n \n \nPoC \n--- \n \n1. Enter the XSS script (eg. \n<script>alert(String.fromCharCode(88,83,83))</script>) \nin the computer description field. (WinXP > System Properties > Computer \nName > Computer Description) \n \n2. Launch an inventory with OCS Agent \n \n3. Go on the admin panel (http://SERVER/ocsreports/) \n \n4. View your computer detail \n \nTested on : OCS Agent 2.0.1 (WinXP SP3) and OCS Server 2.0.1 (Windows). \nNot tested on : Linux Plateform and GLPI (OCS import) \n \n \nSolution \n-------- \n \nUpgrade to OCS Inventory NG 2.0.2 \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/106040/ocsinventoryng201-xss.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:50", "description": "Open Computer and Software Inventory Next Generation is an application designed to help a network or system administrator keep track of the computers configuration and software that are installed on the network. OCS Inventory is also able to detect all active devices on your network, such as switch, router, network printer and unattended devices. OCS Inventory NG includes package deployment feature on client computers. ocsinventory is a metapackage that will install the communication server, the administration console and the database server (MySQL). ", "cvss3": {}, "published": "2011-11-05T01:18:42", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: ocsinventory-1.3.3-5.fc16", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4024"], "modified": "2011-11-05T01:18:42", "id": "FEDORA:DF3F620E88", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2E5Z5Y4XBONI2FCA64CLIHTLBAKBZWEA/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:50", "description": "Open Computer and Software Inventory Next Generation is an application designed to help a network or system administrator keep track of the computers configuration and software that are installed on the network. OCS Inventory is also able to detect all active devices on your network, such as switch, router, network printer and unattended devices. OCS Inventory NG includes package deployment feature on client computers. ocsinventory is a metapackage that will install the communication server, the administration console and the database server (MySQL). ", "cvss3": {}, "published": "2011-11-14T00:52:07", "type": "fedora", "title": "[SECURITY] Fedora 14 Update: ocsinventory-1.3.3-5.fc14", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4024"], "modified": "2011-11-14T00:52:07", "id": "FEDORA:5800221781", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Y4RSDUJYC7ZUFMKNZHQQTE3JL33RIDOX/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2021-11-22T21:56:09", "description": "Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Inventory\nNG 2.0.1 and earlier allows remote attackers to inject arbitrary web script\nor HTML via unspecified vectors.\n\n#### Bugs\n\n * <https://bugzilla.redhat.com/748072>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[tyhicks](<https://launchpad.net/~tyhicks>) | Per Red Hat bugzilla, 1.3.3 is affected so 1.02.2 is likely affected.\n", "cvss3": {}, "published": "2011-10-21T00:00:00", "type": "ubuntucve", "title": "CVE-2011-4024", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4024"], "modified": "2011-10-21T00:00:00", "id": "UB:CVE-2011-4024", "href": "https://ubuntu.com/security/CVE-2011-4024", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "seebug": [{"lastseen": "2017-11-19T14:10:59", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "OCS Inventory NG 2.0.1 Persistent XSS", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-4024"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-72245", "id": "SSV:72245", "sourceData": "\n OCS Inventory NG 2.0.1 - Persistent XSS (CVE-2011-4024)\r\n-------------------------------------------------------\r\n\r\nSoftware : Open Computer and Software (OCS) Inventory NG\r\nDownload : http://www.ocsinventory-ng.org/\r\nDiscovered by : Nicolas DEROUET (nicolas.derouet[gmail]com)\r\nDiscover : 2011-10-04\r\nPublished : 2011-10-05\r\nVersion : 2.0.1 and prior\r\nImpact : Persistent XSS\r\nRemote : Yes (No authentication is needed)\r\nCVE-ID : CVE-2011-4024\r\n\r\n\r\nInfo\r\n----\r\n\r\nOpen Computer and Software (OCS) Inventory Next Generation (NG) is an\r\napplication designed to help a network or system administrator keep track\r\nof the computers configuration and software that are installed on the network.\r\n\r\n\r\nDetails\r\n-------\r\n\r\nThe vulnerability is in the data sent by the agent OCS. The inventory service\r\nand the admin panel does not control the data received. An attacker could inject\r\nmalicous HTML/JS through into the inventory information (eg. the computer\r\ndescription field under WinXP). This data is printed in the admin panel wich\r\ncan lead to a session hijack or whatever you want.\r\n\r\n\r\nPoC\r\n---\r\n\r\n1. Enter the XSS script (eg. <script>alert(String.fromCharCode(88,83,83))</script>)\r\n in the computer description field. (WinXP > System Properties > Computer\r\n Name > Computer Description)\r\n \r\n2. Launch an inventory with OCS Agent\r\n\r\n3. Go on the admin panel (http://SERVER/ocsreports/)\r\n\r\n4. View your computer detail \r\n\r\nTested on : OCS Agent 2.0.1 (WinXP SP3) and OCS Server 2.0.1 (Windows).\r\nNot tested on : Linux Plateform and GLPI (OCS import)\r\n\r\n\r\nSolution\r\n--------\r\n\r\nUpgrade to OCS Inventory NG 2.0.2\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-72245", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:42", "description": "OCS Inventory NG 2.0.1 Persistent XSS (CVE-2011-4024)\r\n-------------------------------------------------------\r\n\r\nSoftware\u00a0\u00a0\u00a0\u00a0\u00a0 : Open Computer and Software (OCS) Inventory NG\r\nDownload\u00a0\u00a0\u00a0\u00a0\u00a0 : http://www.ocsinventory-ng.org/\r\nDiscovered by : Nicolas DEROUET (nicolas.derouet[gmail]com)\r\nDiscover\u00a0\u00a0\u00a0\u00a0\u00a0 : 2011-10-04\r\nPublished\u00a0\u00a0\u00a0\u00a0 : 2011-10-05\r\nVersion\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 2.0.1 and prior\r\nImpact\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Persistent XSS\r\nRemote\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : Yes (No authentication is needed)\r\nCVE-ID\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : CVE-2011-4024\r\n\r\n\r\nInfo\r\n----\r\n\r\nOpen Computer and Software (OCS) Inventory Next Generation (NG) is an\r\napplication designed to help a network or system administrator keep track\r\nof the computers configuration and software that are installed on the network.\r\n\r\n\r\nDetails\r\n-------\r\n\r\nThe vulnerability is in the data sent by the agent OCS. The inventory service\r\nand the admin panel does not control the data received. An attacker could inject\r\nmalicous HTML/JS through into the inventory information (eg. the computer\r\ndescription field under WinXP). This data is printed in the admin panel wich\r\ncan lead to a session hijack or whatever you want.\r\n\r\n\r\nPoC\r\n---\r\n\r\n1. Enter the XSS script (eg.\r\n<script>alert(String.fromCharCode(88,83,83))</script>)\r\n\u00a0\u00a0 in the computer description field. (WinXP > System Properties > Computer\r\n\u00a0\u00a0 Name > Computer Description)\r\n\r\n2. Launch an inventory with OCS Agent\r\n\r\n3. Go on the admin panel (http://SERVER/ocsreports/)\r\n\r\n4. View your computer detail\r\n\r\nTested on\u00a0\u00a0\u00a0\u00a0 : OCS Agent 2.0.1 (WinXP SP3) and OCS Server 2.0.1 (Windows).\r\nNot tested on : Linux Plateform and GLPI (OCS import)\r\n\r\n\r\nSolution\r\n--------\r\n\r\nUpgrade to OCS Inventory NG 2.0.2\r\n", "edition": 1, "cvss3": {}, "published": "2011-10-24T00:00:00", "title": "OCS Inventory NG 2.0.1 Persistent XSS (CVE-2011-4024)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2011-4024"], "modified": "2011-10-24T00:00:00", "id": "SECURITYVULNS:DOC:27193", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27193", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2021-06-08T18:44:50", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2011-10-24T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2009-3580", "CVE-2011-1364", "CVE-2011-4024"], "modified": "2011-10-24T00:00:00", "id": "SECURITYVULNS:VULN:11995", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11995", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debiancve": [{"lastseen": "2021-12-14T17:51:10", "description": "Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Inventory NG 2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", "cvss3": {}, "published": "2011-10-21T18:55:00", "type": "debiancve", "title": "CVE-2011-4024", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4024"], "modified": "2011-10-21T18:55:00", "id": "DEBIANCVE:CVE-2011-4024", "href": "https://security-tracker.debian.org/tracker/CVE-2011-4024", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T12:36:28", "description": "Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Inventory NG 2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", "cvss3": {}, "published": "2011-10-21T18:55:00", "type": "cve", "title": "CVE-2011-4024", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4024"], "modified": "2017-12-29T02:29:00", "cpe": ["cpe:/a:ocsinventory-ng:ocs_inventory_ng:1.01", "cpe:/a:ocsinventory-ng:ocs_inventory_ng:2.0.1", "cpe:/a:ocsinventory-ng:ocs_inventory_ng:1.02.1", "cpe:/a:ocsinventory-ng:ocs_inventory_ng:1.02", "cpe:/a:ocsinventory-ng:ocs_inventory_ng:1.0"], "id": "CVE-2011-4024", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4024", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:ocsinventory-ng:ocs_inventory_ng:1.01:*:*:*:*:*:*:*", "cpe:2.3:a:ocsinventory-ng:ocs_inventory_ng:1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:ocsinventory-ng:ocs_inventory_ng:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:ocsinventory-ng:ocs_inventory_ng:1.02:rc2:*:*:*:*:*:*", "cpe:2.3:a:ocsinventory-ng:ocs_inventory_ng:1.02.1:*:*:*:*:*:*:*", "cpe:2.3:a:ocsinventory-ng:ocs_inventory_ng:1.02:rc3:*:*:*:*:*:*", "cpe:2.3:a:ocsinventory-ng:ocs_inventory_ng:1.02:rc1:*:*:*:*:*:*", "cpe:2.3:a:ocsinventory-ng:ocs_inventory_ng:1.02:*:*:*:*:*:*:*", "cpe:2.3:a:ocsinventory-ng:ocs_inventory_ng:1.0:rc3-1:*:*:*:*:*:*", "cpe:2.3:a:ocsinventory-ng:ocs_inventory_ng:1.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:ocsinventory-ng:ocs_inventory_ng:1.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:ocsinventory-ng:ocs_inventory_ng:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ocsinventory-ng:ocs_inventory_ng:1.0:beta:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-01-13T06:43:01", "description": "", "cvss3": {}, "published": "2011-10-20T00:00:00", "type": "exploitdb", "title": "OCS Inventory NG 2.0.1 - Persistent Cross-Site Scripting", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-4024", "2011-4024"], "modified": "2011-10-20T00:00:00", "id": "EDB-ID:18005", "href": "https://www.exploit-db.com/exploits/18005", "sourceData": "OCS Inventory NG 2.0.1 - Persistent XSS (CVE-2011-4024)\r\n-------------------------------------------------------\r\n\r\nSoftware : Open Computer and Software (OCS) Inventory NG\r\nDownload : http://www.ocsinventory-ng.org/\r\nDiscovered by : Nicolas DEROUET (nicolas.derouet[gmail]com)\r\nDiscover : 2011-10-04\r\nPublished : 2011-10-05\r\nVersion : 2.0.1 and prior\r\nImpact : Persistent XSS\r\nRemote : Yes (No authentication is needed)\r\nCVE-ID : CVE-2011-4024\r\n\r\n\r\nInfo\r\n----\r\n\r\nOpen Computer and Software (OCS) Inventory Next Generation (NG) is an\r\napplication designed to help a network or system administrator keep track\r\nof the computers configuration and software that are installed on the network.\r\n\r\n\r\nDetails\r\n-------\r\n\r\nThe vulnerability is in the data sent by the agent OCS. The inventory service\r\nand the admin panel does not control the data received. An attacker could inject\r\nmalicous HTML/JS through into the inventory information (eg. the computer\r\ndescription field under WinXP). This data is printed in the admin panel wich\r\ncan lead to a session hijack or whatever you want.\r\n\r\n\r\nPoC\r\n---\r\n\r\n1. Enter the XSS script (eg. <script>alert(String.fromCharCode(88,83,83))</script>)\r\n in the computer description field. (WinXP > System Properties > Computer\r\n Name > Computer Description)\r\n \r\n2. Launch an inventory with OCS Agent\r\n\r\n3. Go on the admin panel (http://SERVER/ocsreports/)\r\n\r\n4. View your computer detail \r\n\r\nTested on : OCS Agent 2.0.1 (WinXP SP3) and OCS Server 2.0.1 (Windows).\r\nNot tested on : Linux Plateform and GLPI (OCS import)\r\n\r\n\r\nSolution\r\n--------\r\n\r\nUpgrade to OCS Inventory NG 2.0.2", "sourceHref": "https://www.exploit-db.com/download/18005", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
[SECURITY] Fedora 15 Update: ocsinventory-1.3.3-5.fc15
