CVE-2025-63828

EPSS 0.04%

Backdrop CMS Host Header Injection vulnerability

發布日:2025/11/18修改日:2025/11/20

描述

Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection.

受影響套件(1)

Packagist/backdrop/backdropfrom 0, <= 1.32.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:P

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-63828
PATCHhttps://github.com/backdrop/backdrop
WEBhttps://github.com/mertdurum06/BackdropCms-1.32.1
WEBhttps://github.com/mertdurum06/BackdropCms-1.32.1/blob/main/backdropcms_exploit.txt