icon

We found results for “

CVE-2021-25980

Date: November 11, 2021

Overview

In Talkyard, versions v0.04.01 through v0.6.74-WIP-63220cb, v0.2020.22-WIP-b2e97fe0e through v0.2021.02-WIP-879ef3fe1 and tyse-v0.2021.02-879ef3fe1-regular through tyse-v0.2021.28-af66b6905-regular, are vulnerable to Host Header Injection. By luring a victim application-user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account.

Details

The “Talkyard” application is vulnerable to “Host Header Injection”. When an attacker request for forgot password using victim email id, the host header value in the request is modified to attacker’s address. After successful submission of the request, the victim receives an email with password reset link that actually contains the attacker's address as the base URL. When the victim clicks on the link, the password reset token will be sent to the attacker's address and using it the attacker could reset the password of the victim.

PoC Details

As an attacker, access the forgotten password functionality, and enter the victim's email id. Now intercept the request after clicking the “submit” button. In the “/-/reset-password/specify-email” request, modify the “Host” value to the attacker's address and forward the request. A password reset email link is sent to the victim with the modified base URL.
After clicking on the password reset link received via email, the victim is redirected to the attacker's site.
The attacker will receive the password reset token after the victim accesses the link. Using the token, they make a request to the original site to reset the victim's password. Now the attacker can successfully take over the victim’s account.

Affected Environments

Talkyard versions v0.04.01 through v0.6.74; v0.2020.22 through v0.2021.02; tyse-v0.2021.02 through tyse-v0.2021.28

Prevention

Update to Talkyard version "tyse-v0.2021.29-8cb7f73fe-regular"

Language: TYPE_SCRIPT

Good to know:

icon

Injection

CWE-74
icon

Upgrade Version

Upgrade to version tyse-v0.2021.29-8cb7f73fe-regular

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privilegs Required (PR): None
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: