{"id":"HSEC-2024-0001","summary":"Reflected XSS vulnerability in keter","details":"# Reflected XSS vulnerability in keter\n\nKeter is an app-server/reverse-proxy often used with webapps build on Yesod web-framework.\n\nIn the logic handling VHost dispatch, Keter was echoing back `Host` header value, unescaped,\nas part of an HTML error page. This constitutes a reflected-XSS vulnerability. Although\nnot readily exploitable directly from a browser (where `Host` header can't generally assume\narbitrary values), it may become such in presence of further weaknesses in components\nupstream of Keter in the http proxying chain. Therefore, AC:High in CVSS evaluation.\n","modified":"2025-11-14T18:15:41.081112Z","published":"2025-11-14T14:45:34Z","database_specific":{"home":"https://github.com/haskell/security-advisories","repository":"https://github.com/haskell/security-advisories","osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export"},"references":[{"type":"FIX","url":"https://github.com/snoyberg/keter/pull/246"}],"affected":[{"package":{"name":"keter","ecosystem":"Hackage","purl":"pkg:hackage/keter"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.3.4"},{"fixed":"1.8.4"}]}],"versions":["0.3.4","0.3.4.1","0.3.4.2","0.3.5","0.3.5.1","0.3.5.2","0.3.5.3","0.3.5.4","0.3.6","0.3.6.1","0.4.0","1.0.1","1.0.1.1","1.0.1.2","1.1.0","1.1.0.1","1.2.0","1.2.1","1.3.0","1.3.1","1.3.10","1.3.10.1","1.3.2","1.3.3","1.3.4","1.3.5","1.3.5.1","1.3.5.2","1.3.5.3","1.3.6","1.3.7","1.3.7.1","1.3.8","1.3.9","1.3.9.1","1.3.9.2","1.4.0","1.4.0.1","1.4.1","1.4.2.1","1.4.3","1.4.3.1","1.4.3.2","1.5","1.6","1.7","1.8","1.8.1","1.8.2","1.8.3"],"database_specific":{"source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2024/HSEC-2024-0001.json","osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2024/HSEC-2024-0001.json","human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2024/HSEC-2024-0001.md"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}],"schema_version":"1.7.3"}