Lucene search
GoogleOSV:CVE-2021-36804HistoryAug 04, 2021 - 11:15 p.m.
CVE-2021-36804
2021-08-0423:15:08
Google
osv.dev
7
akaunting vulnerability
password reset
version 2.1.12
laravel framework
proxy headers
Akaunting version 2.1.12 and earlier suffers from a password reset spoofing vulnerability, wherein an attacker can proxy password reset requests through a running Akaunting instance, if that attacker knows the target’s e-mail address. This issue was fixed in version 2.1.13 of the product. Please note that this issue is ultimately caused by the defaults provided by the Laravel framework, specifically how proxy headers are handled with respect to multi-tenant implementations. In other words, while this is not technically a vulnerability in Laravel, this default configuration is very likely to lead to practically identical identical vulnerabilities in Laravel projects that implement multi-tenant applications.
Related
veracode
veracode
Malicious Password Resetting
2021-09-02 06:48:53
github
github
Malicious password-reset in Akaunting
2021-09-01 18:31:36
cve
cve
CVE-2021-36804
2021-08-04 23:15:08
cvelist
cvelist
CVE-2021-36804 Akaunting Password Reset Relay
2021-08-04 22:20:44
nvd
nvd
CVE-2021-36804
2021-08-04 23:15:08
gitlab
gitlab
Weak Password Recovery Mechanism for Forgotten Password
2021-09-01 00:00:00
prion
prion
Spoofing
2021-08-04 23:15:00
osv
osv
Malicious password-reset in Akaunting
2021-09-01 18:31:36
thn
thn
Several Bugs Found in 3 Open-Source Software Used by Several Businesses
2021-07-27 13:01:00
rapid7blog
rapid7blog
Multiple Open Source Web App Vulnerabilities Fixed
2021-07-27 14:30:24