CVE-2021-25994

Injection in UserFrosting in packagist/userfrosting/userfrosting

Identifiers

GHSA-cv25-3gmg-c6m8, CVE-2021-25994

Package Slug

packagist/userfrosting/userfrosting

Vulnerability

Injection in UserFrosting

Description

In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection. By luring a victim application user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account.

Affected Versions

All versions starting from 0.3.1 before 4.6.3

Solution

Upgrade to version 4.6.3 or above.

Last Modified

2022-01-11

source