CVE-2023-38877

Name of the Vulnerable Software and Affected Versions Economizzer version 0.9-beta1

Description A host header injection issue exists, allowing an attacker to send password reset links to users that lead to an attacker-controlled server, thus leaking the password reset token. This enables the attacker to reset other users' passwords by sending a specially crafted host header in the reset password request.

Recommendations For Economizzer version 0.9-beta1, consider disabling the password reset functionality until a patch is available to prevent exploitation of the host header injection vulnerability. Restrict access to the reset password request to minimize the risk of attackers sending specially crafted host headers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.