Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in devcode-it/openstamanager
Aug 14th 2021
A user without access to the software can inject a portion of HTML code in access logs.
🕵️♂️ Proof of Concept
Simulate login with a crafter Client-IP header like this:
curl -H 'Client-IP: <h1>INJECT</h1>' -d 'username=<your-usename>&password=<your-password>&op=login' 'http://localhost/<your-path>/?op=login'
The result is: