CVE-2025-43933 Information
Jul 08, 2025
cve
Description
fblog through 983bede allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.
Reference
https://github.com/ghost123gg/fblog/blob/983bedec9f837a54ab2dfd358a9cb45504a2e709/app/templates/auth/email/resetPassword.html#L1-L8 https://github.com/ghost123gg/fblog/issues/5
Related CNNVD
CNNVD-202507-713 (Published: 2025-07-07)
Share on: