CVE-2026-47689

Discovered by AISLEPUBLISHEDCWE-79

Description

The buildRow() method in fogpage.class.php substitutes data values into HTML table cell templates using str_replace() without any HTML escaping. An unauthenticated attacker who knows any registered host’s MAC address can POST malicious inventory values (e.g. sysproduct, sysserial) to /service/inventory.php, which stores them in the database. When an administrator opens the Group Inventory tab, the payload renders as executable HTML/JavaScript in the admin’s browser. This is distinct from the selectForm() unescaped option label issue: it affects a different function (buildRow()) and a different page (Group Inventory tab).

CVSS Base Scores

CVSS v3.1(Primary)
4.6

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionStatus
FOGProjectFOG< 1.5.10.1832
FOGProjectFOG< 1.6.0-beta.2313
FOGProjectfogproject< 1.5.10.1832
FOGProjectfogproject< 1.6.0-beta.2313

Credits

  • pavelkohout396(reporter)

Solutions

Upgrade to a fixed release at or above 1.5.10.1832 (stable line) or 1.6.0-beta.2313 (beta line). The recommended fix is to HTML-escape replacement values in buildRow() before passing them to str_replace().

References