CVE-2022-33011
Description
Known v1.3.1+2020120201 allows an unauthenticated attacker to perform account takeover via host header injection during password reset.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Known v1.3.1+2020120201 allows an unauthenticated attacker to perform account takeover via host header injection during password reset.
Vulnerability
Overview
CVE-2022-33011 affects Known (formerly Idno), a social publishing platform, version v1.3.1+2020120201 and possibly earlier versions. The vulnerability is a host header injection that allows an attacker to manipulate the Host header in a password reset request. Because the application uses the Host header to construct the password reset link sent via email, an attacker can replace the legitimate host with an attacker-controlled domain. This leads to password reset poisoning, a well-known technique detailed in reference [2] where the victim follows a malicious link and unknowingly reveals their reset token to the attacker.
Exploitation
Prerequisites and Attack Surface
No authentication is required to trigger the password reset function. The attacker only needs to know the victim's email address or username associated with the account. The attack is performed by intercepting the password reset request (e.g., via a proxy like Burp Suite) and replacing the Host header with an attacker-controlled domain before forwarding the request to the server [2]. The server then generates a password reset email containing a link that points to the attacker's domain, complete with the legitimate reset token in the URL. The victim, upon clicking the link, visits the attacker's site and the token is captured.
Impact
A successful exploit allows the attacker to obtain a valid password reset token for the victim's account. With this token, the attacker can reset the victim's password and gain full control of the account—an account takeover [1][4]. The impact is critical as it compromises user data, identity, and any privileges associated with the account.
Mitigation
Status
As of the publication date (2022-07-08), the advisory confirms the vulnerability exists in the stated version. The vendor's repository (GitHub) is the primary source for fixes [1]. Users should ensure they are running a patched version of Known. No official workaround is documented in the references, but limiting the use of the Host header for generating links and validating it against a whitelist of allowed hosts are standard hardening measures [4]. This CVE is not listed in CISA's Known Exploited Vulnerabilities Catalog as of this writing.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
idno/knownPackagist | <= 1.3.1 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application reflects the Host header value into the password reset URL without proper validation or sanitization, enabling host header injection."
Attack vector
An attacker intercepts a password reset request and modifies the Host header (or related headers such as X-Forwarded-Host) to point to an attacker-controlled domain [ref_id=2]. The application then generates a password reset URL that includes the attacker's domain, embedding the reset token in that URL. When the victim clicks the link or the application sends the email, the token is effectively delivered to the attacker, who can use it to reset the victim's password and take over the account [CWE-74].
Affected code
The advisory does not specify the exact file or function responsible for the host header injection. The Known project repository [ref_id=1] is a social publishing platform written in PHP, but no specific vulnerable code path is identified in the provided references.
What the fix does
No patch or remediation guidance is included in the provided references. The Known repository [ref_id=1] does not show a commit addressing this issue. To fix the vulnerability, the application should validate the Host header against a whitelist of allowed domains and generate password reset URLs using a trusted, hard-coded base URL rather than reflecting the Host header value.
Preconditions
- configThe application must use the Host header (or X-Forwarded-Host) to construct password reset URLs in email notifications.
- networkThe attacker must be able to intercept or influence the HTTP request that triggers the password reset email (e.g., by man-in-the-middle or by directly sending a crafted request to the reset endpoint).
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-p757-4v3p-j74fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-33011ghsaADVISORY
- blog.jitendrapatro.me/multiple-vulnerabilities-in-idno-known-php-cms-softwareghsaWEB
- blog.jitendrapatro.me/multiple-vulnerabilities-in-idno-known-php-cms-software/mitrex_refsource_MISC
- github.com/idno/known/blob/dev/composer.jsonghsaWEB
- github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Account%20Takeoverghsax_refsource_MISCWEB
- www.pethuraj.com/blog/how-i-earned-800-for-host-header-injection-vulnerabilityghsaWEB
- www.pethuraj.com/blog/how-i-earned-800-for-host-header-injection-vulnerability/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.