Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pigeon has a Host Header Injection in email verification flow
Vulnerability Description
Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $_SERVER['HTTP_HOST'] without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification link sent to the user's email to point to an attacker-controlled domain. This can lead to account takeover by stealing the email verification token. This vulnerability is fixed in 1.0.201.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
Pigeon 注入漏洞
Vulnerability Description
Pigeon是Akkariin Meiko个人开发者的一个轻量化的留言板/记事本/社交系统/博客。 Pigeon 1.0.201之前版本存在注入漏洞,该漏洞源于应用程序在注册和重新发送邮件流程中使用未经验证的$_SERVER[ HTTP_HOST ]构建电子邮件验证URL,可能导致攻击者操纵HTTP请求中的Host标头,使发送给用户的验证链接指向攻击者控制的域,进而导致账户接管。
CVSS Information
N/A
Vulnerability Type
N/A