Marcelo Andrade Barbosa Júnior

**Name of the Vulnerable Software and Affected Versions** Pigeon versions prior to 1.0.201 **Description** Pigeon is a message board/notepad/social system/blog. The application uses `$ SERVER['HTTP HOST']` without validation when constructing email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in an HTTP request, causing the verification link sent to a user’s email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. The vulnerable component uses the `$ SERVER['HTTP HOST']` variable to construct the email verification URL. **Recommendations** Update Pigeon to version 1.0.201 or later.