CVE-2021-44279

An attacker can inject arbitrary JavaScript or HTML by submitting crafted input to any of the unsanitized form fields (e.g., `package`, `version`, `arch`, `string`, `serial`, `device_string`, `bill_code`, `address`, `searchPhrase`, `state`, `min_severity`, `device_id`, `config`, `sensor_desc`, `id`, `token`, `description`). The injected payload is stored in the page's HTML and executed in the victim's browser when they view the affected page, leading to cross-site scripting (XSS) [CWE-79]. No authentication bypass is required; the attacker only needs to be able to submit a POST or GET request to the vulnerable endpoint.

The vulnerability is in `includes/html/forms/poller-groups.inc.php` (as stated in the CVE description) and the patch also fixes XSS in multiple other files including `includes/html/pages/search/packages.inc.php`, `includes/html/pages/inventory.inc.php`, `includes/html/pages/bill.inc.php`, `includes/html/pages/search/mac.inc.php`, `includes/html/pages/search/arp.inc.php`, `includes/html/common/alert-log.inc.php`, `includes/html/pages/device/showconfig.inc.php`, `includes/html/forms/sensor-alert-update.inc.php`, `includes/html/pages/delhost.inc.php`, and `includes/html/pages/api-access.inc.php`. The root cause is that user-controllable input from `$_POST` and `$_GET` parameters was echoed directly into HTML output without sanitization.

The patch wraps every user-controlled `$_POST` and `$_GET` value with `htmlspecialchars()` before echoing it into HTML output. This function converts special HTML characters (like `<`, `>`, `&`, `"`) into their corresponding HTML entities, preventing the browser from interpreting injected markup or script tags as executable code. The fix is applied at the source (the output point) rather than only at the JSON encode sink, ensuring that all reflected input is safely neutralized regardless of context.