CVE-2016-7903

low

Description

Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header.

References

https://hg.dotclear.org/dotclear/rev/bb06343f4247

https://dotclear.org/blog/post/2016/11/01/Dotclear-2.10.3

http://www.securityfocus.com/bid/93439

http://www.openwall.com/lists/oss-security/2016/10/05/5

Details

Source: Mitre, NVD

Published: 2017-01-04

Updated: 2025-04-12

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 3.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Severity: Low

EPSS

EPSS: 0.00276

Detections

Analytics