GHSA-cv25-3gmg-c6m8, CVE-2021-25994
packagist/userfrosting/userfrosting
Injection in UserFrosting
In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection. By luring a victim application user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account.
All versions starting from 0.3.1 before 4.6.3
Upgrade to version 4.6.3 or above.
2022-01-11
source |