VULHUB ™

StatsPlus is prone to HTML injection attacks. StatsPlus logs information about incoming requests to monitored webpages. HTTP headers such as the HTTP_USER_AGENT and HTTP_REFERER are logged by the software. StatsPlus does not sufficiently sanitize HTML when logging these fields. An attacker may create false HTTP_USER_AGENT and HTTP_REFERER headers which contain arbitrary HTML and script code and it will be stored on the statistics page.

StatsPlus is prone to HTML injection attacks. StatsPlus logs information about incoming requests to monitored webpages. HTTP headers such as the HTTP_USER_AGENT and HTTP_REFERER are logged by the software. StatsPlus does not sufficiently sanitize HTML when logging these fields. An attacker may create false HTTP_USER_AGENT and HTTP_REFERER headers which contain arbitrary HTML and script code and it will be stored on the statistics page.