HSEC-2024-0001
See a problem?- Import Source
- https://github.com/haskell/security-advisories/blob/generated/osv-export/2024/HSEC-2024-0001.json
- JSON Data
- https://api.osv.dev/v1/vulns/HSEC-2024-0001
- Published
- 2024-02-27T17:06:24Z
- Modified
- 2024-02-27T17:18:58.644533Z
- Summary
- Reflected XSS vulnerability in keter
- Details
-
Reflected XSS vulnerability in keter
Keter is an app-server/reverse-proxy often used with webapps build on Yesod web-framework.
In the logic handling VHost dispatch, Keter was echoing back
Hostheader value, unescaped, as part of an HTML error page. This constitutes a reflected-XSS vulnerability. Although not readily exploitable directly from a browser (whereHostheader can't generally assume arbitrary values), it may become such in presence of further weaknesses in components upstream of Keter in the http proxying chain. Therefore, AC:High in CVSS evaluation. - References
Affected packages
Hackage / keter
Package
- Name
- keter
- Purl
- pkg:hackage/keter
Severity
- 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Affected versions
0.*
0.3.4
0.3.4.1
0.3.4.2
0.3.5
0.3.5.1
0.3.5.2
0.3.5.3
0.3.5.4
0.3.6
0.3.6.1
0.4.0
1.*
1.0.1
1.0.1.1
1.0.1.2
1.1.0
1.1.0.1
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.5.1
1.3.5.2
1.3.5.3
1.3.6
1.3.7
1.3.7.1
1.3.8
1.3.9
1.3.9.1
1.3.9.2
1.3.10
1.3.10.1
1.4.0
1.4.0.1
1.4.1
1.4.2.1
1.4.3
1.4.3.1
1.4.3.2
1.5
1.6
1.7
1.8
1.8.1
1.8.2
1.8.3