In the Password Reset Module in VESTA Control Panel through 0.9.8-25 and Hestia Control Panel before 1.1.1, Host header manipulation leads to account takeover because the victim receives a reset URL containing an attacker-controlled server name.
CPE | Name | Operator | Version |
---|---|---|---|
control_panel | lt | 1.1.1 | |
control_panel | eq | <= 0.9.8-25 |