Juan Felipe Osorio Zapata

**Name of the Vulnerable Software and Affected Versions** heimdall version 2.6.3-ls307 **Description** The application does not properly validate user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. This allows for Host Header Injection and Open Redirect attacks. An unauthenticated remote attacker can manipulate these headers to load external resources from attacker-controlled domains and redirect users, potentially enabling phishing, UI redress, and session theft. The issue is due to insufficient validation of untrusted input, impacting the application’s integrity and trustworthiness. **Recommendations** Apply input validation and sanitization to the `X-Forwarded-Host` and `Referer` HTTP headers to prevent manipulation.