{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/host-header-injection/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tandoor Recipes"],"_cs_severities":["high"],"_cs_tags":["host-header-injection","cve-2026-33149","web-application"],"_cs_type":"advisory","_cs_vendors":["Tandoor Recipes"],"content_html":"\u003cp\u003eTandoor Recipes, a recipe management and meal planning application, is vulnerable to a host header injection (CVE-2026-33149) in versions up to and including 2.5.3. The vulnerability stems from the application setting \u003ccode\u003eALLOWED_HOSTS = '*'\u003c/code\u003e by default, which disables Host header validation in the Django framework. This lack of validation allows attackers to craft malicious HTTP requests with arbitrary Host headers. The application uses \u003ccode\u003erequest.build_absolute_uri()\u003c/code\u003e to generate absolute URLs in various contexts, including invite link emails, API pagination, and OpenAPI schema generation. This vulnerability allows an attacker to manipulate these generated URLs. The most significant risk is invite link poisoning, where an attacker can make invite links in emails redirect to an attacker-controlled server, potentially compromising user accounts. No patched version is available as of the source publication date.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Tandoor Recipes instance running a vulnerable version (\u0026lt;= 2.5.3).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request to the Tandoor Recipes instance with a malicious \u003ccode\u003eHost\u003c/code\u003e header (e.g., \u003ccode\u003eHost: attacker.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAn administrator of the Tandoor Recipes instance generates an invitation link for a new user.\u003c/li\u003e\n\u003cli\u003eThe application uses \u003ccode\u003erequest.build_absolute_uri()\u003c/code\u003e to construct the invitation link, incorporating the attacker-controlled \u003ccode\u003eHost\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe invitation email is sent to the intended user, containing the malicious invitation link pointing to \u003ccode\u003eattacker.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user clicks the malicious link in the email, unknowingly sending the invite token to the attacker's server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen invite token to create an account on the legitimate Tandoor Recipes instance.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the Tandoor Recipes instance, potentially escalating privileges depending on the application's configuration and the compromised user's role.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to invite link poisoning, allowing attackers to create unauthorized accounts on the Tandoor Recipes instance. The number of potential victims is directly proportional to the number of Tandoor Recipes instances deployed with the vulnerable configuration and the number of users invited through the application. The impact includes unauthorized access to user data, potential modification or deletion of recipes, and the possibility of further lateral movement within the affected environment if the compromised account has elevated privileges. The CVSS v3.1 base score for this vulnerability is 8.1, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests with unusual or unexpected \u003ccode\u003eHost\u003c/code\u003e headers to detect potential exploitation attempts. Analyze webserver logs for abnormalities in \u003ccode\u003ecs-uri-query\u003c/code\u003e for invite URLs (related to invite link poisoning).\u003c/li\u003e\n\u003cli\u003eImplement a web application firewall (WAF) rule to validate the \u003ccode\u003eHost\u003c/code\u003e header against a whitelist of expected values.\u003c/li\u003e\n\u003cli\u003eApply available patches as soon as they are released for Tandoor Recipes to remediate CVE-2026-33149.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipes-host-header-injection/","summary":"Tandoor Recipes versions up to 2.5.3 use a wildcard for ALLOWED_HOSTS, making Django accept any HTTP Host header without validation, which allows an attacker to manipulate server-generated absolute URLs and potentially compromise user accounts through invite link poisoning.","title":"Tandoor Recipes Host Header Injection Vulnerability (CVE-2026-33149)","url":"https://feed.craftedsignal.io/briefs/2024-01-tandoor-recipes-host-header-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Host-Header-Injection","version":"https://jsonfeed.org/version/1.1"}