Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: November 11, 2021
OverviewIn Talkyard, versions v0.04.01 through v0.6.74-WIP-63220cb, v0.2020.22-WIP-b2e97fe0e through v0.2021.02-WIP-879ef3fe1 and tyse-v0.2021.02-879ef3fe1-regular through tyse-v0.2021.28-af66b6905-regular, are vulnerable to Host Header Injection. By luring a victim application-user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account.
DetailsThe “Talkyard” application is vulnerable to “Host Header Injection”. When an attacker request for forgot password using victim email id, the host header value in the request is modified to attacker’s address. After successful submission of the request, the victim receives an email with password reset link that actually contains the attacker's address as the base URL. When the victim clicks on the link, the password reset token will be sent to the attacker's address and using it the attacker could reset the password of the victim.
PoC DetailsAs an attacker, access the forgotten password functionality, and enter the victim's email id. Now intercept the request after clicking the “submit” button. In the “/-/reset-password/specify-email” request, modify the “Host” value to the attacker's address and forward the request. A password reset email link is sent to the victim with the modified base URL.
After clicking on the password reset link received via email, the victim is redirected to the attacker's site.
The attacker will receive the password reset token after the victim accesses the link. Using the token, they make a request to the original site to reset the victim's password. Now the attacker can successfully take over the victim’s account.
Affected EnvironmentsTalkyard versions v0.04.01 through v0.6.74; v0.2020.22 through v0.2021.02; tyse-v0.2021.02 through tyse-v0.2021.28
PreventionUpdate to Talkyard version "tyse-v0.2021.29-8cb7f73fe-regular"
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||None|
|User Interaction (UI):||Required|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Medium|