CVE-2021-25994

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-25994

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-25994.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-25994

Aliases

GHSA-cv25-3gmg-c6m8

Published

2022-01-03T07:15:07.243Z

Modified

2026-05-30T17:18:46.900103Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Header Injection. By luring a victim application user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account.

References

Affected packages

Git / github.com/userfrosting/userfrosting

Affected ranges

Type

GIT

Repo

https://github.com/userfrosting/userfrosting

Events

Introduced

baa77a08a8d23d73b0dbbd9ea7b370b601a5fd9e

Fixed

15d713a1fa2e9a67000b2a9a9413473f5c51da4d

Fixed

796dd78757902435d1bd286415feea78098e45ba

Database specific

{
    "cpe": "cpe:2.3:a:userfrosting:userfrosting:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.3.1"
        },
        {
            "fixed": "4.6.3"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-25994.json"