[advisory]
id = "HSEC-2024-0001"
cwe = [79]
keywords = ["http", "xss", "rxss", "historical"]

[[references]]
type = "FIX"
url = "https://github.com/snoyberg/keter/pull/246"

[[affected]]
package = "keter"
cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
declarations."Keter.Proxy.toResponse" = ">= 0.3.4 && < 1.0.1"
declarations."Keter.Proxy.unknownHostResponse" = ">= 1.0.1 && < 1.8.4"

[[affected.versions]]
introduced = "0.3.4"
fixed = "1.8.4"

Reflected XSS vulnerability in keter

Keter is an app-server/reverse-proxy often used with webapps build on Yesod web-framework.

In the logic handling VHost dispatch, Keter was echoing back Host header value, unescaped, as part of an HTML error page. This constitutes a reflected-XSS vulnerability. Although not readily exploitable directly from a browser (where Host header can't generally assume arbitrary values), it may become such in presence of further weaknesses in components upstream of Keter in the http proxying chain. Therefore, AC:High in CVSS evaluation.