Name of the Vulnerable Software and Affected Versions No specific software name or version is mentioned, so the description is not applicable in this section.

Description A potential hostname injection issue has been discovered, which could allow attackers to alter URL resolution. If a request contains the X-Forwarded-Host HTTP header, a website would use its value instead of the actual HTTP hostname. In cases where caching is enabled, this could allow an attacker to embed a remote URL as the base URL for any site, causing other visitors to be redirected unknowingly. This issue is less likely to affect servers running behind a reverse proxy, such as nginx.

Recommendations For existing projects that do not run behind a reverse proxy, update the .htaccess file with the following configuration to remove the X-Forwarded-Host header from any request:

<IfModule mod headers.c>
  RequestHeader unset X-Forwarded-Host
</IfModule>