CVE-2026-22675 — 神龙十问 AI 深度分析摘要

- **CVE-2026-22675**: Stored XSS in OCS Inventory NG 🚨 - Affects v2.12.3 and earlier. - Malicious **JavaScript** stored & later executed. - 🎯 Unauth attackers may run scripts in victims' browsers.…

- **Root Cause**: Stored Cross-Site Scripting flaw 🔍 - Likely **CWE-79**: Improper neutralization of input during web page generation. - Input from **User-Agent** not sanitized properly.…

- **Affected Product**: OCS Inventory NG (open-source IT asset mgmt) 🖥️ - **Versions**: ≤ 2.12.3 - **Component**: Server side (storage of User-Agent).

- Attackers need **low privileges** (PR:L) ✅ - Can execute **arbitrary JS** in other users' sessions. - 💥 May access sensitive info, modify UI, steal cookies/tokens.…

- **Exploitation threshold**: LOW ⚠️ - **Auth required**: Yes (PR:L = Low auth level). - Triggered via **User-Agent** header → stored → later rendered. - 🧩 No special config needed. Common web interaction (UI:R).

- **Public PoC**: ❌ None listed in data 🔍 - `pocs` array is empty. - No sign of wild exploitation yet. - But risk remains due to ease of finding vector.

- **Self-check steps**: - 🔎 Review server logs for suspicious **User-Agent** strings. - Check stored inventory data for unexpected HTML/JS. - Use browser dev tools to inspect pages loading agent data.…

- **Official fix**: ✅ YES 🛡️ - Patch in commit `78faf2ca` (GitHub). - PR #483 tracks issue. - Update to patched version to remove vuln.

- **No patch workaround**: - Sanitize **User-Agent** before storing 🧼. - Encode output when rendering stored agent data. - Apply strict CSP headers 🚧 to block inline JS exec.…

- **Urgency**: HIGH 🚨 - CVSS: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N - Scope change (S:C) = impact beyond vulnerable component. - 💡 Fix ASAP if using ≤ v2.12.3. - Prevent session/data compromise.