Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Sub2API Vulnerable to Password Reset Poisoning via Host Header Trust Issue, Leading to Account Takeover
Vulnerability Description
Sub2API is an AI API gateway platform designed to distribute and manage API quotas from AI product subscriptions. A vulnerability in versions prior to 0.1.85 is a Password Reset Poisoning (Host Header / Forwarded Header trust issue), which allows attackers to manipulate the password reset link. Attackers can exploit this flaw to inject their own domain into the password reset link, leading to the potential for account takeover. The vulnerability has been fixed in version v0.1.85. If upgrading is not immediately possible, users can mitigate the vulnerability by disabling the "forgot password" feature until an upgrade to a patched version can be performed. This will prevent attackers from exploiting the vulnerability via the affected endpoint.
CVSS Information
N/A
Vulnerability Type
对输出编码和转义不恰当
Vulnerability Title
Sub2API 安全漏洞
Vulnerability Description
Sub2API是Wesley Liddick个人开发者的一个API网关平台。 Sub2API 0.1.85之前版本存在安全漏洞,该漏洞源于密码重置投毒,可能导致账户接管。
CVSS Information
N/A
Vulnerability Type
N/A