CVE-2021-44277

An attacker can inject arbitrary JavaScript or HTML into the alert-log page by sending a crafted POST parameter (e.g. `state`, `min_severity`, or `device_id`) that contains a payload such as `"><script>alert(1)</script>` [CWE-79]. The input is echoed directly into the HTML `value` attribute without sanitization, so when a victim (typically an administrator) views the alert-log page, the script executes in their browser. No authentication bypass is required beyond having a valid session, and the attack can be delivered via a simple form submission or a crafted link that auto-submits the form.

The vulnerability is located in `includes/html/common/alert-log.inc.php` (the file named in the CVE description) and was fixed by wrapping `$_POST['state']`, `$_POST['min_severity']`, and `$_POST['device_id']` with `htmlspecialchars()` [patch_id=6636045]. The same pattern of missing output encoding was also corrected in many other files such as `packages.inc.php`, `inventory.inc.php`, `bill.inc.php`, `mac.inc.php`, `arp.inc.php`, `showconfig.inc.php`, `sensor-alert-update.inc.php`, `delhost.inc.php`, and `api-access.inc.php` in the same commit [patch_id=6636045].

The patch wraps every unsanitized `$_POST` value with `htmlspecialchars()` before embedding it into HTML output [patch_id=6636045]. For example, in `alert-log.inc.php` the line `'<option value="' . $_POST['state'] . '"'` becomes `'<option value="' . htmlspecialchars($_POST['state']) . '"'`, which converts characters like `<`, `>`, `"`, and `&` into their safe HTML entities. This prevents an attacker-supplied payload from being interpreted as markup or JavaScript. The same fix is applied consistently across all the other files touched in the same commit.