CRITICAL🇵🇱 Wersja polska

CVE-2025-43933

CVSS 9.8v3.1pub. 2025-07-07upd. 2026-04-15

fblog through 983bede allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.

🤖 AI Analysis
How it works

When a user initiates a password reset, the application builds the reset link based on the Host header from the HTTP request instead of using a configured, trusted server name. An attacker can send a password reset request with an arbitrarily modified Host header pointing to a server they control. As a result, the victim receives an email with a link leading to the attacker's server, which intercepts the reset token. With the token in hand, the attacker can set a new password and fully take over the victim's account.

Impact

An attacker can take full control of any user account in the fblog application without knowing its current password. This results in a breach of confidentiality, integrity, and availability of account data.

Mitigation & patch

Apply patches available from the vendor according to the references. As a temporary measure, configure the SERVER_NAME variable in the application so that the password reset link is generated based on a trusted, hardcoded server name rather than the HTTP Host header.

Who is affected

The fblog application in all versions up to and including commit 983bede (repository ghost123gg/fblog).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References