CVE-2023-3726: 
Linux Debian vulnerability analysis and mitigation

OCSInventory version 2.12.0 contains a stored cross-site scripting vulnerability (CVE-2023-3726) that was discovered on July 17, 2023, and patched on August 11, 2023. The vulnerability affects the email template functionality in OCSInventory-ocsreports, allowing special characters to be stored that could lead to cross-site scripting attacks (Fluid Advisory).

The vulnerability is classified as a stored cross-site scripting (XSS) issue with a CVSS v3.1 base score of 6.9 (Medium) according to NVD, and 4.9 (Medium) according to Fluid Attacks. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N, indicating network accessibility, low attack complexity, high privileges required, and user interaction required. The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

If exploited, this vulnerability could allow attackers to steal sensitive data such as session cookies. Additionally, if the server is in debug mode, attackers could potentially access password hashes. The attack requires the target to be an administrator with an active login session (Fluid Advisory).

The vulnerability has been patched in versions after 2.12.0. Users are advised to update to the latest version of OCSInventory-ocsreports available from the vendor's website (Fluid Advisory).