Vulnerability Details : CVE-2021-43437
Potential exploit
In sourcecodetester Engineers Online Portal as of 10-21-21, an attacker can manipulate the Host header as seen by the web application and cause the application to behave in unexpected ways. Very often multiple websites are hosted on the same IP address. This is where the Host Header comes in. This header specifies which website should process the HTTP request. The web server uses the value of this header to dispatch the request to the specified website. Each website hosted on the same IP address is called a virtual host. And It's possible to send requests with arbitrary Host Headers to the first virtual host.
Products affected by CVE-2021-43437
- cpe:2.3:a:engineers_online_portal_project:engineers_online_portal:1.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-43437
0.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-43437
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2021-43437
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-43437
-
https://medium.com/@mayhem7999/cve-2021-43437-5c5e3b977e84
CVE-2021–43437 - Nithissh - MediumExploit;Third Party Advisory
-
https://portswigger.net/web-security/host-header
HTTP Host header attacks | Web Security AcademyThird Party Advisory
Jump to