PatchSiren cyber security CVE debrief
CVE-2018-25349 UserSpice CVE debrief
CVE-2018-25349 is a cross-site scripting (XSS) vulnerability in userSpice 4.3.24 that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. The vulnerability exists in the backup.php endpoint, where crafted requests containing XSS payloads in the X-Forwarded-For header can execute when administrators subsequently view the audit log page. This represents a stored XSS attack vector where the malicious payload is persisted in application logs and triggered by privileged user interaction. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and user interaction required for exploitation, with low impacts to confidentiality and integrity of the affected system. The vulnerability was published to CVE on May 23, 2026 and last modified on May 26, 2026. It is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- UserSpice
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-23
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-23
- Advisory updated
- 2026-05-26
Who should care
Organizations running userSpice 4.3.24 or earlier versions should prioritize review, particularly those with externally accessible administrative interfaces or audit log viewers. Security teams should assess logging practices for header injection vulnerabilities. Web application developers should examine similar patterns in custom applications that log proxy headers without sanitization.
Technical summary
The vulnerability exists in userSpice 4.3.24 where the application fails to properly sanitize the X-Forwarded-For HTTP header before storing it in audit logs. An attacker can send a crafted HTTP request to the backup.php endpoint with a malicious JavaScript payload in the X-Forwarded-For header. When an administrator views the audit log page, the unsanitized payload executes in the context of the administrator's browser session. This is a stored XSS vulnerability requiring user interaction for exploitation, with the attack payload persisted in application logs rather than requiring real-time injection.
Defensive priority
medium
Recommended defensive actions
- Review and sanitize all HTTP headers including X-Forwarded-For before logging or displaying in administrative interfaces
- Implement Content Security Policy (CSP) headers to mitigate impact of XSS vulnerabilities
- Apply output encoding when rendering log data in administrative panels
- Upgrade to a patched version of userSpice when available
- Review audit log access controls to limit exposure to trusted administrative users only
- Consider implementing header validation to reject or sanitize unexpected characters in X-Forwarded-For and similar proxy headers
Evidence notes
The vulnerability description is sourced from official CVE metadata and NVD records. The attack vector through X-Forwarded-For header injection in backup.php with execution via audit log viewing is documented in source references. CVSS 4.0 scoring and CWE-79 classification are provided in NVD metadata. Vendor attribution is marked as low confidence requiring review due to limited canonical source information.
Official resources
This vulnerability was disclosed through coordinated disclosure channels with advisory publication by VulnCheck and Exploit-DB reference documentation.