CVE-2023-39655

Опубликовано: 03 янв. 2024

Источник: nvd

CVSS3: 9.6

EPSS Низкий

Описание

A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions <= 0.20.0. By sending a specially crafted host header in the forgot password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This may allow an attacker to reset other users' passwords and take over their accounts.

Ссылки

https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-39655
Third Party Advisory
https://www.npmjs.com/package/%40perfood/couch-auth
Product
https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-39655
Third Party Advisory
https://www.npmjs.com/package/%40perfood/couch-auth
Product

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:perfood:couchauth:*:*:*:*:*:node.js:*:*

Версия до 0.20.0 (включая)

EPSS

Процентиль: 29%

0.00104

Низкий

9.6 Critical

CVSS3

Дефекты

CWE-74

Связанные уязвимости

GHSA-fqh6-6h6c-366m

CVSS3: 8.1

github

около 2 лет назад

CouchAuth host header injection vulnerability leaks the password reset token