“vBSecurity” by DragonByte
Steps to Reproduce
An attacker has to login by sending a forged or edited HTTP request to the vulnerable target. In this request, the user-agent value is populated with malicious code.
The following pictures show how we were able to exploit the vulnerability.
This issue exists due to insufficient input filtering. In order to mitigate the issue we recommend applying input filtering to all request headers and not reflecting any output without sanitizing it.
The issue was fixed in release v3.3.0.
Credit for finding and reporting the issue: