CVE-2023-38877
published 2023-09-28CVE-2023-38877: A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in…
PriorityP349high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.88%
54.6th percentile
A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users' passwords.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| economizzer | economizzer | — | — |
| economizzer | economizzer | — | — |
| gugoan | economizzer | 0 – 0.9-beta1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Economizzer host header injection vulnerability
ghsa·2023-09-28
CVE-2023-38877 [HIGH] CWE-94 Economizzer host header injection vulnerability
Economizzer host header injection vulnerability
A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users' passwords.
OSV
Economizzer host header injection vulnerability
osv·2023-09-28
CVE-2023-38877 [HIGH] Economizzer host header injection vulnerability
Economizzer host header injection vulnerability
A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users' passwords.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-09-28
Published