status_dhcp_leases.php: DHCP Lease status does not encode hostname and some other data from leases file, leading to a potential XSS
A client can send a hostname containing <script> tags and the DHCP daemon will accept it and add it to the leases file. This hostname is then output as-is by the lease status view in the list and then again in action icons for the lease, leading to script execution on the client (for example).
Only affects IPv4 DHCP status, not IPv6
Confirmed on 2.4 and 2.3.x.
To me, I have a fix pending.