LinkAce Password Reset Poisoning Vulnerability via X-Forwarded-Host Header Injection Allowing Account Takeover
Vulnerability
A password reset poisoning vulnerability exists in LinkAce versions prior to 2.5.4. This issue arises from the application’s improper trust in user-controlled HTTP headers, specifically the X-Forwarded-Host header, which is used to generate password reset URLs. An attacker can manipulate this header during a password reset request to inject a malicious domain into the reset link sent via email. Consequently, the victim receives an email with a link pointing to the attacker-controlled domain. If the victim clicks the link, the password reset token is sent to the attacker’s server. The attacker can then capture this token and use it to reset the victim’s password, resulting in full account takeover.
Impact
Exploitation of this vulnerability allows for password reset poisoning, leading to unauthorized password resets and full account takeovers.
Remediation
Users can upgrade to LinkAce version 2.5.4 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.