CRITICAL🇵🇱 Wersja polska

CVE-2025-43930

CVSS 9.8v3.1pub. 2025-07-07upd. 2026-04-15

Hashview 0.8.1 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.

🤖 AI Analysis
How it works

When a user initiates a password reset, the application generates a link with a reset token and sends it via email. Since the SERVER_NAME variable is not set, the URL in this link is constructed based on the HTTP Host header from the incoming request. An attacker can send a password reset request for the target account with a spoofed Host header pointing to a server under their control. As a result, the victim receives an email with a link leading to the attacker's server, which intercepts the reset token and takes over the account.

Impact

An unauthenticated attacker can take control of any user account in the application, gaining full access to its data and functionality (breach of confidentiality, integrity, and availability).

Mitigation & patch

Apply patches available from the vendor according to the references. As a workaround, configure the SERVER_NAME variable in the Hashview application so that the password reset link is constructed based on a trusted server name defined by the administrator, not the HTTP Host header.

Who is affected

Hashview version 0.8.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References