CVE-2025-63828

Published: Nov 18, 2025Modified: Nov 24, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection.

Affected (1)

Products: Backdropcms: Backdrop Cms

Backdropcms

1 product

Backdrop Cms

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Backdropcms Backdrop Cms	Version 1.32.1

Related CWEs

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References (3)

https://github.com/mertdurum06/BackdropCms-1.32.1/

Source: cve@mitre.org

Release Notes

https://github.com/mertdurum06/BackdropCms-1.32.1/blob/main/backdropcms_exploit.txt

Source: cve@mitre.org

Exploit

https://github.com/mertdurum06/BackdropCms-1.32.1/blob/main/backdropcms_exploit.txt

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Exploit

Timeline

No history available yet.