Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2016/10/05/5 | Mailing List |
http://www.securityfocus.com/bid/93439 | |
https://dotclear.org/blog/post/2016/11/01/Dotclear-2.10.3 | Patch Vendor Advisory |
https://hg.dotclear.org/dotclear/rev/bb06343f4247 | Patch |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2017-01-04T21:00:00
Updated: 2017-01-05T10:57:01
Reserved: 2016-09-09T00:00:00
Link: CVE-2016-7903
JSON object: View
NVD Information
Status : Modified
Published: 2017-01-04T21:59:00.247
Modified: 2017-01-07T03:00:42.760
Link: CVE-2016-7903
JSON object: View
Redhat Information
No data.
CWE