Vulnerability Details : CVE-2022-23079
In motor-admin versions 0.0.1 through 0.2.56 are vulnerable to host header injection in the password reset functionality where malicious actor can send fake password reset email to arbitrary victim.
Products affected by CVE-2022-23079
- cpe:2.3:a:getmotoradmin:motor_admin:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-23079
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 10 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-23079
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
Mend |
CWE ids for CVE-2022-23079
-
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.Assigned by: vulnerabilitylab@mend.io (Primary)
References for CVE-2022-23079
-
https://github.com/motor-admin/motor-admin/commit/a461b7507940a1fa062836daa89c82404fe3ecf9
do not use request host in for devise · motor-admin/motor-admin@a461b75 · GitHubPatch;Third Party Advisory
-
https://www.mend.io/vulnerability-database/CVE-2022-23079
Open Source Vulnerability Database | MendExploit;Third Party Advisory
Jump to