Title: Loadbalancer.org Enterprise VA MAX - Unauthenticated Stored XSS
Author: Jakub Palaczynski
Date: 24. July 2018
Loadbalancer.org Enterprise VA MAX before 8.3.3
Remote Code Execution with root privileges.
Vulnerability - Unauthenticated Stored XSS:
Two instances of Unauthenticated Stored XSS issue were identified in
Loadbalancer.org Enterprise VA MAX:
1. Application takes input from Basic Auth (username) and stores it without
any validation in "Apache Error Log".
This instance works only on HTTPS port.
It works on both - HTTP and HTTPS ports.