EIQ-2020-0006#
ID |
EIQ-2020-0006 |
|---|---|
CVE |
- |
Description |
HTML Injection into Platform Emails |
Date |
05 Feb 2020 |
Severity |
3 - HIGH |
CVSSv3 score |
CVSSv3 score not available on NIST NVD. |
Status |
✅ 2.7.0 |
Assessment |
EclecticIQ uses the Host header of an HTTP request to specify the domain name of a server that is used to access the platform. When resetting passwords, this mechanism is used to create a link to the platform, which is then sent to the user concerned by email. An attacker can use this mechanism to get the platform send a password reset e-mail with a link pointing to a malicious website. The vulnerability also allows attackers to inject additional HTML elements into an email, such as text or hyperlinks. |
Mitigation |
Upgrade to EclecticIQ Platform 2.7.0 or later. |
Affected versions |
2.6.0 and earlier. |
Notes |
- |