CVE-2022-38796

Vulnerability

Overview

Feehi CMS 2.1.1 suffers from a Host Header Injection vulnerability. The application does not properly validate or sanitize the HTTP Host header, allowing an attacker to inject arbitrary values via the Host header [1]. This root cause lies in insufficient input validation when constructing URLs or links within the application.

Exploitation

Scenario

An attacker can exploit this vulnerability by intercepting or crafting a request to the Feehi CMS application that includes a malicious Host header. When the application triggers a password reset, it uses the attacker-controlled Host header to generate the reset link. No authentication is required to initiate the password reset process, making the attack surface accessible to unauthenticated remote attackers who can trick a user into clicking a crafted link [1][2].

Impact

Successful exploitation allows an attacker to spoof the Host header, leading to a password reset email being sent to the victim with a malicious link that directs to an attacker-controlled domain. This can result in account takeover if the victim follows the link and submits the reset form [1]. The attacker could also potentially redirect users to phishing pages designed to harvest credentials.

Mitigation

Status

As of the publication date (2022-09-14), no official patch or updated version had been released by the vendor based on the available references [1][2]. Users are advised to apply strict input validation on the Host header or use a reverse proxy to enforce a whitelist of allowed hostnames until a patch is available.