An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack.
Se detectó un problema en Embedthis GoAhead versión 2.5.0. Ciertas páginas (tales como goform/login y config/log_off_page.htm) crean enlaces que contienen un nombre del host obtenido desde un encabezado de Host HTTP arbitrario enviado por parte de un atacante. Esto podría ser usado potencialmente en un ataque de phishing.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
| Attack Vector | NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | HIGH |
| Availability Impact | NONE |
AV:N/AC:L/Au:N/C:N/I:P/A:N
| Access Vector | NETWORK |
|---|---|
| Access Complexity | LOW |
| Authentication | NONE |
| Confidentiality Impact | NONE |
| Integrity Impact | PARTIAL |
| Availability Impact | NONE |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-94
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| embedthis | goahead | 2.5.0 | <built-in method update of dict object at 0x72a9cc3bb280> | Application |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:a:embedthis:goahead:2.5.0:*:*:*:*:*:*:* |