CVE-2021-30185
Description
CERN Indico before 2.3.4 can use an attacker-supplied Host header in a password reset link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CERN Indico before 2.3.4 allows attackers to craft password reset links using a user-controlled Host header, enabling account takeover.
Vulnerability
CERN Indico versions before 2.3.4 are vulnerable to a host header injection in the password reset functionality. The application uses the Host header supplied by the user to construct the password reset link without proper validation or sanitization. This allows an attacker to manipulate the reset link by providing a malicious Host header. [1][3]
Exploitation
An attacker with network access to the Indico instance can send a password reset request with a spoofed Host header pointing to a domain they control. The application then generates a password reset link containing that domain, which is emailed to the target user. If the user clicks the link, the attacker can intercept the reset token and complete the password change. No authentication is required for the attack, and no special privileges are needed. [1][3]
Impact
Successful exploitation allows the attacker to take over the target user's account by obtaining the password reset token. This leads to complete compromise of the affected account, including access to any data or functionality associated with that user's role in Indico. The attack targets the confidentiality and integrity of user accounts. [1][3]
Mitigation
The vulnerability is fixed in Indico version 2.3.4, released on 2021-04-07. Users should upgrade to this version or later. No workarounds are available. [1][3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
indicoPyPI | < 2.3.4 | 2.3.4 |
Affected products
2- CERN/Indicodescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-wgpj-7c2j-vfjmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-30185ghsaADVISORY
- github.com/indico/indico/releases/tag/v2.3.4ghsax_refsource_MISCWEB
- github.com/indico/indico/security/advisories/GHSA-wgpj-7c2j-vfjmghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/indico/PYSEC-2021-18.yamlghsaWEB
- www.shorebreaksecurity.com/blogghsaWEB
- www.shorebreaksecurity.com/blog/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.