CVE-2018-25349

MEDIUM

userSpice 4.3.24 Cross-Site Scripting via X-Forwarded-For Header

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25349. PoCs published by Dolev Farhi.

AI-analyzed exploit summary This Perl script exploits a Cross-Site Scripting (XSS) vulnerability in UserSpice 4.3.24 by injecting a payload into the 'X-Forwarded-For' header. The payload is executed when an admin views the audit log page.

Description

userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Attackers can send crafted requests to the backup.php endpoint with XSS payloads in the X-Forwarded-For header that execute when administrators visit the audit log page.

Exploits (1)

exploitdb WORKING POC
by Dolev Farhi · perlwebappsphp
https://www.exploit-db.com/exploits/44871

This Perl script exploits a Cross-Site Scripting (XSS) vulnerability in UserSpice 4.3.24 by injecting a payload into the 'X-Forwarded-For' header. The payload is executed when an admin views the audit log page.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: UserSpice 4.3.24
No auth needed
Prerequisites: Access to the target server · Admin interaction to trigger payload execution
devstral-2 · analyzed May 24, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit exploit
ExploitDB-44871
https://www.exploit-db.com/exploits/44871
Third Party Advisory third-party-advisory
VulnCheck Advisory: userSpice 4.3.24 Cross-Site Scripting via X-Forwarded-For Header
https://www.vulncheck.com/advisories/userspice-cross-site-scripting-via-x-forwarded-for-header

Scores

CVSS v3 6.1
EPSS 0.0003
EPSS Percentile 9.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
UserSpice/userSpice 4.3.24
Published May 23, 2026
Tracked Since May 24, 2026