CVE-2024-45522

Name of the Vulnerable Software and Affected Versions: Linen versions prior to cd37c3e

Description: The issue occurs when resetting a password, where the domain is not verified to be linen.dev or www.linen.dev. This happens in the create function in apps/web/pages/api/forgot-password/index.ts.

Recommendations: For versions prior to cd37c3e, as a temporary workaround, consider disabling the password reset functionality in the create function in apps/web/pages/api/forgot-password/index.ts until a patch is available. Restrict access to the forgot-password API endpoint to minimize the risk of exploitation. Avoid using the password reset feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.