the http host header in eramba can be injected (when a request is made) and that could let eramba build requests based on that host (which can be other than the one where eramba runs), someone using this bug could print pdf files (using wkhtml2pdf) within the OS, this exploit requires valid accounts in eramba otherwise it would not work and quite a big brain (which Naveen obviously has).
we tested this on community, we could not reproduce this on enterprise at all, anyway since this host thing is a problem for some customers using reverse proxy (Feature - forcing full base url on eramba) we’ll fix it next week on enterprise too.
we want to thank Naveen Sunkavally because of the patience he had explaining us the issue, he clearly is very good at what he does.
cve request id: #981965 // CVE-2020-28031