CVE-2024-26470

Опубликовано: 29 фев. 2024

Источник: nvd

CVSS3: 8.1

EPSS Низкий

Описание

A host header injection vulnerability in the forgot password function of FullStackHero's WebAPI Boilerplate v1.0.0 and v1.0.1 allows attackers to leak the password reset token via a crafted request.

Ссылки

https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2024-26470
Third Party Advisory
https://github.com/fullstackhero/dotnet-webapi-boilerplate
Product
https://www.nuget.org/packages/FullStackHero.WebAPI.Boilerplate
Exploit
Product
https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2024-26470
Third Party Advisory
https://github.com/fullstackhero/dotnet-webapi-boilerplate
Product
https://www.nuget.org/packages/FullStackHero.WebAPI.Boilerplate
Exploit
Product

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:fullstackhero:.net_9_starter_kit:1.0.0:*:*:*:*:*:*:*

cpe:2.3:a:fullstackhero:.net_9_starter_kit:1.0.1:*:*:*:*:*:*:*

EPSS

Процентиль: 30%

0.00114

Низкий

8.1 High

CVSS3

Дефекты

CWE-200

Связанные уязвимости

GHSA-75x2-6h4m-h6mx

github

почти 2 года назад

FullStackHero's WebAPI Boilerplate host header injection vulnerability