CVE-2021-25994 Userfrosting - Host-Header Injection Leads to Account Takeover

2022-01-0306:45:10

CWE-74

Mend

www.cve.org

userfrosting

host-header injection

cve-2021-25994

account takeover

security vulnerability

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.002

Percentile

62.1%

JSON

In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection. By luring a victim application user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account.

CNA Affected

[
  {
    "product": "userfrosting",
    "vendor": "userfrosting",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "0.3.1",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "4.6.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]