CVE-2024-42903

A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain.
Configurations

Configuration 1 (hide)

cpe:2.3:a:limesurvey:limesurvey:*:*:*:*:*:*:*:*

History

12 Sep 2024, 20:20

Type Values Removed Values Added
CPE cpe:2.3:a:limesurvey:limesurvey:*:*:*:*:*:*:*:*
CWE CWE-74
First Time Limesurvey
Limesurvey limesurvey
Summary
  • (es) Una vulnerabilidad de inyección de encabezado de host en la función de restablecimiento de contraseña de LimeSurvey v.6.6.1+240806 y anteriores permite a los atacantes enviar a los usuarios un enlace de restablecimiento de contraseña diseñado específicamente para dirigir a las víctimas a un dominio malicioso.
References () https://github.com/LimeSurvey/LimeSurvey/compare/6.6.0+240729...6.6.1+240806 - () https://github.com/LimeSurvey/LimeSurvey/compare/6.6.0+240729...6.6.1+240806 - Patch
References () https://github.com/LimeSurvey/LimeSurvey/pull/3920 - () https://github.com/LimeSurvey/LimeSurvey/pull/3920 - Issue Tracking
References () https://github.com/sysentr0py/CVEs/tree/main/CVE-2024-42903 - () https://github.com/sysentr0py/CVEs/tree/main/CVE-2024-42903 - Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5

03 Sep 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-03 18:15

Updated : 2024-09-12 20:20


NVD link : CVE-2024-42903

Mitre link : CVE-2024-42903

CVE.ORG link : CVE-2024-42903


JSON object : View

Products Affected

limesurvey

  • limesurvey
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')