Reflected XSS vulnerability in keter

Keter is an app-server/reverse-proxy often used with webapps build on Yesod web-framework.

In the logic handling VHost dispatch, Keter was echoing back Host header value, unescaped,
as part of an HTML error page. This constitutes a reflected-XSS vulnerability. Although
not readily exploitable directly from a browser (where Host header can’t generally assume
arbitrary values), it may become such in presence of further weaknesses in components
upstream of Keter in the http proxying chain. Therefore, AC:High in CVSS evaluation.