CVE-2024-42903

Name of the Vulnerable Software and Affected Versions LimeSurvey versions 6.6.1+240806 and earlier

Description A Host header injection issue in the password reset function allows attackers to send users a crafted password reset link that directs victims to a malicious domain. This occurs because the password reset function does not properly validate the Host header, enabling malicious redirects.

Recommendations For LimeSurvey versions 6.6.1+240806 and earlier, as a temporary workaround, consider disabling the password reset function until a patch is available. Restrict access to the password reset feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.