CVE-2025-61136
CVE-2025-61136
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 7.1EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
23 out 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
A Host Header Injection vulnerability in the password reset component in axewater sharewarez v2.4.3 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask's url_for(_external=True) generates reset links without a fixed SERVER_NAME.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Produtos afetados
n/a · n/aReferências
https://drive.google.com/file/d/15X5L1uEqgWOLrjKqm96cEPAWp2ph0zJp/view?usp=sharinghttps://gist.github.com/BrookeYangRui/145e529b5fd4f56af299efde37edf4fahttps://github.com/axewater/sharewarez/blob/d04c90b7dc3fbae1596f731d1b168d3fb9fdd2df/modules/routes_login.py#L188-L217https://github.com/axewater/sharewarez/blob/d04c90b7dc3fbae1596f731d1b168d3fb9fdd2df/modules/utils_smtp.py#L191-L206https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning