Adiroiban

**Name of the Vulnerable Software and Affected Versions** Twisted versions 0.9.4 through 22.10.0rc1 **Description** The issue is related to the Twisted event-based framework for internet applications. When the host header does not match a configured host, `twisted.web.vhost.NameVirtualHost` will return a `NoResource` resource which renders the Host header unescaped into the 404 response, allowing HTML and script injection. This could potentially allow a remote attacker to access and compromise confidential data. However, exploitation is considered difficult as it requires the ability to modify the Host header of a normal HTTP request, implying a privileged position. **Recommendations** For Twisted versions 0.9.4 through 22.10.0rc1, update to version 22.10.0rc1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `twisted.web.vhost.NameVirtualHost` module until a patch is available. Avoid using the `Host` header in the affected API endpoint until the issue is resolved.