Skip to content

Latest commit

 

History

History

CVE-2023-39655

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 

CVE-2023-39655: Host Header Injection in Password Reset of @perfood/couch-auth version <= 0.20.0

A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions <= 0.20.0. By sending a specially crafted host header in the forgot password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This may allow an attacker to reset other users' passwords and take over their accounts.

Discovered by Florian Walter, August 2023.

References: