Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-hqp9-mrjw-7qq2: Economizzer host header injection vulnerability

A host header injection vulnerability exists in gugoan’s Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users’ passwords.

ghsa
#vulnerability#git

Economizzer host header injection vulnerability

Moderate severity GitHub Reviewed Published Sep 28, 2023 to the GitHub Advisory Database • Updated Sep 28, 2023

Related news

CVE-2023-38877: GitHub - gugoan/economizzer: Open Source Personal Finance Manager

A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users' passwords.