CVE-2024-26470
Severity CVSS v4.0:
Pending analysis
Type:
CWE-200
Information Leak / Disclosure
Publication date:
29/02/2024
Last modified:
30/04/2025
Description
A host header injection vulnerability in the forgot password function of FullStackHero's WebAPI Boilerplate v1.0.0 and v1.0.1 allows attackers to leak the password reset token via a crafted request.
Impact
Base Score 3.x
8.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:fullstackhero:.net_9_starter_kit:1.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fullstackhero:.net_9_starter_kit:1.0.1:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2024-26470
- https://github.com/fullstackhero/dotnet-webapi-boilerplate
- https://www.nuget.org/packages/FullStackHero.WebAPI.Boilerplate
- https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2024-26470
- https://github.com/fullstackhero/dotnet-webapi-boilerplate
- https://www.nuget.org/packages/FullStackHero.WebAPI.Boilerplate