CVE-2021-45226
Description
An issue was discovered in COINS Construction Cloud 11.12. Due to improper validation of user-controlled HTTP headers, attackers can cause it to send password-reset e-mails pointing to arbitrary websites.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
COINS Construction Cloud 11.12 trusts the HTTP Host header in password reset emails, allowing an attacker to redirect reset links to arbitrary domains for phishing.
Vulnerability
COINS Construction Cloud version 11.12 fails to validate the HTTP Host header when generating password reset emails. The application constructs the reset link using the Host header value from the incoming request, which an attacker can control. This allows the email recipient to receive a link that points to an attacker-controlled domain instead of the legitimate service. The vulnerability is classified as Improper Input Validation (CWE-20) [1].
Exploitation
An attacker with network access to intercept or modify HTTP requests can exploit this issue. The attack sequence is simple: (1) trigger a password reset request for a user account under the attacker's control, (2) intercept the request and change the HTTP Host header to an arbitrary domain (e.g., an attacker-owned site), and (3) the application sends the password reset email with a link using that domain. No authentication or special privileges are required beyond the ability to send a reset request and modify headers [1].
Impact
Successful exploitation enables an attacker to conduct a phishing attack. Because the email originates from the trusted COINS Construction Cloud system, the victim may perceive the fraudulent reset link as legitimate and inadvertently disclose credentials or other sensitive information. The intended security mechanism of password reset via email is subverted, potentially leading to account compromise [1][2].
Mitigation
As of the public disclosure date (2022-01-13), no official fix or patch has been released by Construction Industry Solutions (COINS). The vendor was notified on 2021-11-02 but has not responded. The solution status remains open. Users of COINS Construction Cloud 11.12 are advised to monitor for security updates from the vendor and to consider implementing compensating controls, such as network-level filtering of Host headers or using a Web Application Firewall (WAF) to block unauthenticated header manipulation [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- COINS/Construction Clouddescription
- Range: =11.12
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper validation of the HTTP Host header allows an attacker to control the domain used in password-reset email links."
Attack vector
An attacker triggers a password-reset request for a target user account, intercepts the HTTP request, and modifies the Host header to point to an attacker-controlled domain [ref_id=1]. The application then sends a password-reset email containing a link that uses the attacker-supplied domain. Because the email originates from a trusted source, the victim may follow the link and disclose their reset token to the attacker, enabling account takeover via phishing [ref_id=1].
Affected code
The advisory does not specify particular files or functions. The vulnerability exists in the password-reset endpoint of COINS Construction Cloud 11.12, where the application reads the HTTP Host header to construct the reset-link domain [ref_id=1].
What the fix does
No patch has been published by the vendor; the advisory lists the solution status as "Open" [ref_id=1]. The recommended remediation is to validate the Host header against a whitelist of allowed domains rather than using it directly to construct the reset link. Until a fix is deployed, administrators should monitor for unexpected Host header values and consider deploying a reverse proxy that enforces a strict Host header policy.
Preconditions
- networkAttacker must be able to intercept or modify the HTTP request between the client and the server (e.g., man-in-the-middle position or control over the client's proxy).
- inputAttacker must know or guess a valid username/email for which to trigger a password reset.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- appsource.microsoft.com/en-us/product/web-apps/constructionindustrysolutionslimited-5057232.coinsconstructioncloudmitrex_refsource_MISC
- www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-051.txtmitrex_refsource_MISC
- www.syss.de/pentest-blog/multiple-schwachstellen-im-coins-construction-cloud-erp-syss-2021-028/-029/-030/-031/-051/-052/-053mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.