CVE-2021-25994

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-25994

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25994.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-25994

Aliases

GHSA-cv25-3gmg-c6m8

Published

2022-01-03T07:15:07.243Z

Modified

2026-04-10T04:32:02.929978Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection. By luring a victim application user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account.

References

Affected packages

Git / github.com/userfrosting/userfrosting

Affected ranges

Type

GIT

Repo

https://github.com/userfrosting/userfrosting

Events

Introduced

baa77a08a8d23d73b0dbbd9ea7b370b601a5fd9e

Fixed

15d713a1fa2e9a67000b2a9a9413473f5c51da4d

Fixed

796dd78757902435d1bd286415feea78098e45ba

Database specific

{
    "versions": [
        {
            "introduced": "0.3.1"
        },
        {
            "fixed": "4.6.3"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25994.json"