CVE-2026-47689
Description
The buildRow() method in fogpage.class.php substitutes data values into HTML table cell templates using str_replace() without any HTML escaping. An unauthenticated attacker who knows any registered host’s MAC address can POST malicious inventory values (e.g. sysproduct, sysserial) to /service/inventory.php, which stores them in the database. When an administrator opens the Group Inventory tab, the payload renders as executable HTML/JavaScript in the admin’s browser. This is distinct from the selectForm() unescaped option label issue: it affects a different function (buildRow()) and a different page (Group Inventory tab).
CVSS Base Scores
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Version | Status |
|---|---|---|---|
| FOGProject | FOG | < 1.5.10.1832 | — |
| FOGProject | FOG | < 1.6.0-beta.2313 | — |
| FOGProject | fogproject | < 1.5.10.1832 | — |
| FOGProject | fogproject | < 1.6.0-beta.2313 | — |
Credits
- pavelkohout396(reporter)
Solutions
Upgrade to a fixed release at or above 1.5.10.1832 (stable line) or 1.6.0-beta.2313 (beta line). The recommended fix is to HTML-escape replacement values in buildRow() before passing them to str_replace().