GHSA-ffpg-gm3h-4p5p

Source

https://github.com/advisories/GHSA-ffpg-gm3h-4p5p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-ffpg-gm3h-4p5p/GHSA-ffpg-gm3h-4p5p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-ffpg-gm3h-4p5p

Aliases

CVE-2025-63828

Published

2025-11-18T18:32:55Z

Modified

2025-11-20T14:43:59.366997Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:P CVSS Calculator

Summary

Backdrop CMS Host Header Injection vulnerability

Details

Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection.

Database specific

{
    "github_reviewed_at": "2025-11-18T21:56:57Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-601",
        "CWE-644"
    ],
    "nvd_published_at": "2025-11-18T18:16:13Z",
    "severity": "MODERATE"
}

References

Affected packages

Packagist / backdrop/backdrop

Package

Name: backdrop/backdrop
Purl: pkg:composer/backdrop/backdrop

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.32.0

Affected versions

1.*

1.13.2-rc1

1.13.2-rc2

1.17.3

1.18.3

1.19.1

1.20.3

1.21.0

1.21.1

1.21.3

1.21.4

1.22.1

1.22.2

1.27.0

1.28.0

1.29.0

1.30.0

1.30.2

1.31.0

1.32.0