PT-2025-28176 · Fblog · Fblog
Rui Yang
+1
·
Published
2025-07-07
·
Updated
2025-07-07
·
CVE-2025-43933
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
fblog versions through 983bede
Description:
The issue allows account takeover via the password reset feature because the
SERVER NAME is not configured, causing the reset to depend on the Host HTTP header.Recommendations:
For versions through 983bede, configure the
SERVER NAME to prevent the password reset feature from relying on the Host HTTP header. As a temporary workaround, consider restricting access to the password reset feature until the SERVER NAME is properly configured.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fblog