Executive Summary

CVE-2026-33739 is a Stored Cross-Site Scripting (XSS) vulnerability in the FOGProject, an open-source cloning and inventory management system. It affects multiple management pages such as Host, Storage, Group, Image, Printer, and Snapin. The vulnerability arises because the application does not properly sanitize input parameters on the server side during record creation and updates, and it fails to escape HTML characters when displaying data in listing tables.

This allows attackers with authenticated access to inject malicious JavaScript code (e.g., <script>alert(1)</script>) into various fields like User Friendly Name, Group Name, Image Name, Printer Name, and others. When other users view these pages, the malicious scripts execute in their browsers.

The root cause includes insufficient server-side sanitization and lack of HTML escaping in the code, specifically in methods that replace template variables and build table rows.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several impacts if exploited:

• Attackers can hijack administrator sessions by stealing cookies.
• Unauthorized actions can be performed with administrator privileges.
• Sensitive data can be exfiltrated from users who view the affected pages.
• Malicious scripts can execute in the context of privileged users’ browsers, potentially leading to further compromise.

The vulnerability requires the attacker to have authenticated access and for the victim to view the malicious content, but it can be exploited remotely over the network.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious JavaScript payloads such as <script>alert(1)</script> in the input fields of multiple management pages (Host, Storage, Group, Image, Printer, Snapin) within the FOGProject web interface.

Since the vulnerability arises from stored cross-site scripting due to insufficient server-side sanitization and lack of HTML escaping, detection involves inspecting the database or the web interface for injected script tags in fields like Friendly Name, Group Name, Image Name, Printer Name, Port, Model, File, Snapin Name, and Storage Node Name.

There are no specific commands provided in the resources to detect this vulnerability on your network or system.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade FOGProject to version 1.5.10.1812 or later, where this Stored Cross-Site Scripting vulnerability has been patched.

Until the upgrade can be performed, restrict access to the management pages to trusted administrators only, as the vulnerability requires authenticated access and user interaction.

Additionally, review and sanitize any existing input fields in the database that may contain malicious scripts to prevent execution when viewed.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to execute stored Cross-Site Scripting (XSS) attacks, which can lead to session hijacking, unauthorized actions with administrator privileges, and exfiltration of sensitive data from users viewing the affected pages.

Such impacts can compromise the confidentiality and integrity of sensitive data, potentially violating data protection requirements in common standards and regulations like GDPR and HIPAA that mandate safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, if exploited, this vulnerability could lead to non-compliance with these regulations due to the exposure and unauthorized manipulation of sensitive data.

Useful 0 Not Useful 0