LinkAce: Password Reset Poisoning via X-Forwarded-Host Header Injection Leading to Account Takeover
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP headers. The application uses the X-Forwarded-Host header when generating password reset URLs. By manipulating this header during a password reset request, an attacker can inject an attacker-controlled domain into the reset link sent via email. As a result, the victim receives a password reset email containing a malicious link pointing to an attacker-controlled domain. When the victim clicks the link, the password reset token is transmitted to the attacker-controlled server. An attacker can capture this token and use it to reset the victim’s password, leading to full account takeover. This vulnerability is fixed in 2.5.4.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-601 | CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
Type: CWE
Description: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 3.1 | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N