CVE-2024-26470

Name of the Vulnerable Software and Affected Versions FullStackHero's WebAPI Boilerplate versions 1.0.0 through 1.0.1

Description A host header injection issue in the forgot password function allows attackers to leak the password reset token via a crafted request.

Recommendations For versions 1.0.0 and 1.0.1, as a temporary workaround, consider disabling the forgot password function until a patch is available. Restrict access to the forgot password endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.