CVE-2026-47687
Discovered by AISLEPUBLISHEDCWE-79
Description
The selectForm() helper renders <option> labels using unescaped user input. An unauthenticated attacker with knowledge of a registered host’s MAC address can POST malicious sysproduct values to an unauthenticated inventory endpoint, which are stored in the database. When administrators access the Inventory Report, the payload executes arbitrary JavaScript in their browser.
CVSS Base Scores
CVSS v3.1(Primary)
7.3CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Affected Products
| Vendor | Product | Version | Status |
|---|---|---|---|
| FOGProject | FOG | < 1.5.10.1832 | — |
| FOGProject | FOG | < 1.6.0-beta.2313 | — |
| FOGProject | fogproject | < 1.5.10.1832 | — |
| FOGProject | fogproject | < 1.6.0-beta.2313 | — |
Credits
- pavelkohout396(reporter)
Solutions
Upgrade to FOG >= 1.5.10.1832 (stable) or >= 1.6.0-beta.2313 (beta), where the selectForm() option labels are properly escaped.