| عنوان | TID Lab Aggie 1.0 Improper Neutralization of HTTP Headers for Scripting Syntax |
|---|
| الوصف | Aggie application's password reset functionality improperly uses the Host header from HTTP requests to generate password reset URLs in emails sent to users. An attacker can supply a malicious Host header, causing password reset links to point to an arbitrary domain. This may lead to phishing attacks or theft of password reset tokens. The vulnerability affects the endpoint /reset-password and arises because req.headers.host is used directly without validation or a whitelist. |
|---|
| المصدر | ⚠️ https://github.com/lakshayyverma/CVE-Discovery/blob/main/TID%20Lab%20Aggie.md |
|---|
| المستخدم | lakshay12311 (UID 91298) |
|---|
| ارسال | 05/10/2025 01:56 PM (8 أشهر منذ) |
|---|
| الاعتدال | 16/10/2025 01:50 PM (11 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 328800 [TID-Lab Aggie 1.0 HTTP Header reset-password.js sendEmail req.headers.host تنفيذ التعليمات البرمجية عن بُعد] |
|---|
| النقاط | 20 |
|---|