CVE-2019-18265

Name of the Vulnerable Software and Affected Versions Digital Alert Systems' DASDEC software versions prior to 4.1

Description The issue allows remote attackers to inject arbitrary web script or HTML via the SSH username, username field of the login page, or via the HTTP host header. The injected content is stored in logs and rendered when viewed in the web application.

Recommendations For versions prior to 4.1, update to version 4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the login page and limiting the use of SSH usernames to minimize the risk of exploitation. Avoid using the username field in the login page and restrict modifications to the HTTP host header until the issue is resolved.