Host Header Injection in LimeSurvey Password Reset Function
CVE-2024-42903

6.5MEDIUM

Key Information:

Vendor: Limesurvey
Status: Limesurvey
Vendor: CVE Published:; 3 September 2024

What is CVE-2024-42903?

A host header injection flaw in the password reset functionality of LimeSurvey creates a risk for users. When exploiting this vulnerability, attackers can manipulate the host header and deceive users into clicking on malicious password reset links. This might lead users to unsafe domains, potentially compromising their sensitive information. All versions prior to v.6.6.1+240806 are susceptible to this threat, making immediate attention to updates critical for users to safeguard against potential phishing attacks.

References

https://github.com/LimeSurvey/LimeSurvey/pull/3920

https://github.com/LimeSurvey/LimeSurvey/compare/6.6.0+24...

https://github.com/sysentr0py/CVEs/tree/main/CVE-2024-42903

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 3, 2024

Limesurvey

What is CVE-2024-42903?

References

CVSS V3.1

Timeline