CVE-2025-63828

Source
https://cve.org/CVERecord?id=CVE-2025-63828
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63828.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-63828
Aliases
Published
2025-11-18T00:00:00Z
Modified
2026-07-08T08:12:20.291980255Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/63xxx/CVE-2025-63828.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / github.com/backdrop/backdrop

Affected ranges

Type
GIT
Repo
https://github.com/backdrop/backdrop
Events
Database specific
{
    "cpe": "cpe:2.3:a:backdropcms:backdrop_cms:1.32.1:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.32.1"
        },
        {
            "last_affected": "1.32.1"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

1.*
1.32.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63828.json"