Password Reset Poisoning

Vulnerability Details

The application uses user-controllable input (such as the Host header) to generate password reset links, allowing an attacker to redirect reset tokens to a malicious domain.

An attacker could intercept password reset tokens and use them to take over victim accounts, gaining full access to the user's data and privileges.

Use a server-side configured base URL for password reset links instead of the Host header. Validate the Host header against a whitelist. Implement short-lived, single-use reset tokens. Notify users of password reset requests.

• https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning