Hackathon Starter Privilege Escalation Vulnerability via Host Header Injection

A privilege escalation vulnerability has been identified in Hackathon Starter version 8.1.0. This issue arises in the user.js component, where the password reset functionality can be exploited by injecting a malicious Host header. An attacker could send a password reset request for a user while specifying a Host header of a controlled domain. If the targeted user clicks the link in the reset email, the attacker would receive the reset token, allowing them to take over the user's account.

Impact

Exploitation of this vulnerability could lead to a one-click account takeover.

Reproduction

To reproduce this vulnerability, send a POST request to the password reset endpoint, including a Host header that points to a domain controlled by the attacker. The request should also include the necessary headers and data, such as a CSRF token and the email address of the victim. When the victim clicks the password reset link, the attacker's server will capture the reset token, which can be used to reset the victim's password and gain access to their account.

Remediation

Update the application to version 8.1.1, where this vulnerability has been fixed. If the update cannot be applied, configure the server to not accept arbitrary Host headers or disable the password reset functionality until the issue is addressed.