fblog through 983bede allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header.
When a user initiates a password reset, the application builds the reset link based on the Host header from the HTTP request instead of using a configured, trusted server name. An attacker can send a password reset request with an arbitrarily modified Host header pointing to a server they control. As a result, the victim receives an email with a link leading to the attacker's server, which intercepts the reset token. With the token in hand, the attacker can set a new password and fully take over the victim's account.
An attacker can take full control of any user account in the fblog application without knowing its current password. This results in a breach of confidentiality, integrity, and availability of account data.
Apply patches available from the vendor according to the references. As a temporary measure, configure the SERVER_NAME variable in the application so that the password reset link is generated based on a trusted, hardcoded server name rather than the HTTP Host header.
The fblog application in all versions up to and including commit 983bede (repository ghost123gg/fblog).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H