PT-2019-14735 · Embedthis · Goahead

Ramikan

Published

2019-09-20

Updated

2020-08-24

CVE-2019-16645

CVSS v3.1

8.6

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Embedthis GoAhead version 2.5.0

Description An issue was discovered where certain pages, such as "goform/login" and "config/log off page.htm", create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack.

Recommendations For Embedthis GoAhead version 2.5.0, consider restricting access to the affected pages, such as "goform/login" and "config/log off page.htm", until a patch is available. As a temporary workaround, avoid using the arbitrary HTTP Host header to generate links on these pages.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2019-16645

Affected Products

Goahead

PT-2019-14735 · Embedthis · Goahead

CVE-2019-16645

Weakness Enumeration

Related Identifiers

Affected Products

References · 5