A Host header injection vulnerability in the password reset function of LimeSurvey v.6.6.1+240806 and before allows attackers to send users a crafted password reset link that will direct victims to a malicious domain.
References
Link | Resource |
---|---|
https://github.com/LimeSurvey/LimeSurvey/compare/6.6.0+240729...6.6.1+240806 | Patch |
https://github.com/LimeSurvey/LimeSurvey/pull/3920 | Issue Tracking |
https://github.com/sysentr0py/CVEs/tree/main/CVE-2024-42903 | Third Party Advisory |
Configurations
History
12 Sep 2024, 20:20
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:limesurvey:limesurvey:*:*:*:*:*:*:*:* | |
CWE | CWE-74 | |
First Time |
Limesurvey
Limesurvey limesurvey |
|
Summary |
|
|
References | () https://github.com/LimeSurvey/LimeSurvey/compare/6.6.0+240729...6.6.1+240806 - Patch | |
References | () https://github.com/LimeSurvey/LimeSurvey/pull/3920 - Issue Tracking | |
References | () https://github.com/sysentr0py/CVEs/tree/main/CVE-2024-42903 - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
03 Sep 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-03 18:15
Updated : 2024-09-12 20:20
NVD link : CVE-2024-42903
Mitre link : CVE-2024-42903
CVE.ORG link : CVE-2024-42903
JSON object : View
Products Affected
limesurvey
- limesurvey
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')