Appsmith Origin Header Vulnerability Leading to Account Takeover

A vulnerability in Appsmith prior to version 1.93 allows for account takeover by misusing the Origin header in password reset and email verification processes. The server accepted the Origin value as the base URL for email links without proper validation. This flaw enabled attackers to direct authentication tokens to their own domains, potentially leading to unauthorized access to user accounts.

Impact

Exploitation of this vulnerability allows attackers to take over user accounts by intercepting authentication tokens sent via email. Additionally, it could expose personal information such as email addresses and account details to third parties.

Reproduction

To reproduce this vulnerability, send a password reset request while manipulating the Origin header to include an attacker-controlled domain. The server will generate a link pointing to the attacker's domain, where the authentication token can be intercepted.

Remediation

Users can update to Appsmith version 1.93 or later, where this vulnerability has been fixed.