CVE-2021-43437

Published: Dec 20, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

In sourcecodetester Engineers Online Portal as of 10-21-21, an attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Very often multiple websites are hosted on the same IP address. This is where the Host Header comes in. This header specifies which website should process the HTTP request. The web server uses the value of this header to dispatch the request to the specified website. Each website hosted on the same IP address is called a virtual host. And It's possible to send requests with arbitrary Host Headers to the first virtual host.

Affected (1)

Products: Engineers Online Portal Project: Engineers Online Portal

Engineers Online Portal Project

1 product

Engineers Online Portal

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Engineers Online Portal Project Engineers Online Portal	Version 1.0

Related CWEs

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (4)

https://medium.com/%40mayhem7999/cve-2021-43437-5c5e3b977e84

Source: cve@mitre.org

https://portswigger.net/web-security/host-header

Source: cve@mitre.org

Third Party Advisory

https://medium.com/%40mayhem7999/cve-2021-43437-5c5e3b977e84

Source: af854a3a-2127-422b-91ae-364da2661108

https://portswigger.net/web-security/host-header

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.