A host header injection vulnerability exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). By sending a specially crafted host header in the reset password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This allows an attacker to reset other users' passwords.

Affected Packages

Packagist gugoan/economizzer

Affected versions: 0 (last affected: 0.9-beta1)

Related CVEs

CVE-2023-38877

Key Information

GHSA ID

GHSA-hqp9-mrjw-7qq2

Published

September 28, 2023 6:30 AM

Last Modified

October 2, 2023 9:34 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

gugoan/economizzer

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 30, 2025 6:36 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.