CVE-2018-25349

userSpice 4.3.24 Cross-Site Scripting via X-Forwarded-For Header

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79

Vexday Risk Score

33Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 5.1EPSS 0.2%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

23 May 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Attackers can send crafted requests to the backup.php endpoint with XSS payloads in the X-Forwarded-For header that execute when administrators visit the audit log page.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected products

UserSpice · userSpice

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/44871unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.exploit-db.com/exploits/44871 https://www.vulncheck.com/advisories/userspice-cross-site-scripting-via-x-forwarded-for-header