CVE-2024-42914
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
Published: Aug 23, 2024 / Updated: 2mo ago

010

CVSS 9.1EPSS 0.04%Critical

CVE info copied to clipboard

Summary

A host header injection vulnerability exists in the forgot password functionality of ArrowCMS version 1.0.0. By sending a specially crafted host header in the forgot password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token.

Impact

This vulnerability allows an attacker to potentially reset other users' passwords, leading to unauthorized access to user accounts. The severity is high, with a CVSS v3.1 base score of 9.1. The attack vector is network-based, requires low complexity, and can be executed without user interaction or privileges. It has a high impact on both confidentiality and integrity, although availability is not affected. This poses a significant risk to the security of user accounts and the overall system integrity.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the provided information, there is no mention of an available patch for this vulnerability in ArrowCMS version 1.0.0.

Mitigation

While no specific patch is mentioned, potential mitigation strategies may include: 1. Implement proper validation and sanitization of host headers in the forgot password functionality. 2. Use secure, server-side mechanisms for generating and validating password reset tokens. 3. Implement additional authentication steps in the password reset process. 4. Regularly update ArrowCMS to the latest version, as a fix may be available in newer releases. 5. Monitor for any unusual password reset activities or attempts to exploit this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-42914. See article

Aug 23, 2024 at 7:21 PM / National Vulnerability Database

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 23, 2024 at 7:21 PM

Threat Intelligence Report

The vulnerability CVE-2024-42914 in ArrowCMS version 1.0.0 allows attackers to reset passwords and intercept password reset tokens through a host header injection flaw in the forgot password feature. With a CVSS score of 9.8, this critical vulnerability poses a high risk of exploitation in the wild. Mitigations, detections, and patches should be implemented promptly to prevent unauthorized access and potential downstream impacts on third-party vendors. See article

Aug 30, 2024 at 1:32 AM