CVE-2023-38877

Published: Sep 28, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users' passwords.

Affected (2)

Products: Economizzer: Economizzer

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Economizzer Economizzer	Version 0.9 beta1
Economizzer Economizzer	Version april_2023

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (6)

https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38877

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/gugoan/economizzer/

Source: cve@mitre.org

Product

https://www.economizzer.org

Source: cve@mitre.org

Product

https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38877

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/gugoan/economizzer/

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://www.economizzer.org

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.