CVE-2023-38877

A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users' passwords.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
VendorProductVersion
economizzereconomizzer
0.9:beta1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38877
https://github.com/gugoan/economizzer/
https://www.economizzer.org
https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38877
https://github.com/gugoan/economizzer/
https://www.economizzer.org