Daylight Studio FuelCMS Password Reset Token Theft Vulnerability

A vulnerability in the password reset feature of Daylight Studio FuelCMS version 1.5.2 allows unauthenticated attackers to steal password reset tokens from users. This is achieved by manipulating the 'Host' HTTP header to redirect the token to an attacker-controlled server. The attacker must find a valid user email and wait for the victim to click the malicious link in the password reset email.

Impact

Exploitation of this vulnerability allows attackers to obtain password reset tokens, which can be used to reset victims' passwords. If an admin or editor account is compromised, attackers could modify or delete any content on the website.

Reproduction

To reproduce this vulnerability, an unauthenticated attacker must first identify a valid user email address. Then, the attacker can use the 'Forgot Password' feature while modifying the 'Host' header to point to their own server. When the victim receives the password reset email and clicks the link, the reset token will be sent to the attacker's server.