CVE-2023-47107

Name of the Vulnerable Software and Affected Versions PILOS versions prior to 2.3.0

Description The password reset component in PILOS uses the hostname supplied within the request host header when building a password reset URL. This could allow manipulation of the URL sent to PILOS users, potentially disclosing the password reset token if the link is followed. The issue only affects local user accounts and requires the password reset option to be enabled.

Recommendations For versions prior to 2.3.0, update to version 2.3.0 to resolve the issue. As a temporary workaround, consider disabling the password reset option until the update is applied. Restrict access to the password reset component to minimize the risk of exploitation. Avoid using the password reset feature in the affected versions until the issue is resolved.