Passbolt API Host Header Injection Vulnerability Allowing Email Spoofing

A host header injection vulnerability has been identified in Passbolt API versions prior to 5, specifically in version 4.11.1 and earlier. This vulnerability arises when the server is misconfigured, such as not setting the 'fullBaseUrl' or 'server_name', allowing an attacker to manipulate the host header. Exploitation of this vulnerability enables the attacker to send emails containing malicious links that appear to come from a trusted domain, potentially leading to further exploitation if the recipient clicks the link.

Impact

Exploitation of this vulnerability could allow for email spoofing, with the potential to mislead users into clicking malicious links that could be used for further attacks.

Remediation

Users can update to Passbolt API v4.11.1 or later, where this vulnerability has been addressed. In version 4.11.1, the fix is available behind a configuration flag to maintain backward compatibility. This flag can be set to enforce the presence of the 'fullBaseUrl' setting. Version 5 will default to an error if 'fullBaseUrl' is not set, but this can be bypassed for administrators who need to dynamically set the host header.