Hashview 0.8.1 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.
When a user initiates a password reset, the application generates a link with a reset token and sends it via email. Since the SERVER_NAME variable is not set, the URL in this link is constructed based on the HTTP Host header from the incoming request. An attacker can send a password reset request for the target account with a spoofed Host header pointing to a server under their control. As a result, the victim receives an email with a link leading to the attacker's server, which intercepts the reset token and takes over the account.
An unauthenticated attacker can take control of any user account in the application, gaining full access to its data and functionality (breach of confidentiality, integrity, and availability).
Apply patches available from the vendor according to the references. As a workaround, configure the SERVER_NAME variable in the Hashview application so that the password reset link is constructed based on a trusted server name defined by the administrator, not the HTTP Host header.
Hashview version 0.8.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H