{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/weak-password/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["apostrophecms"],"_cs_severities":["high"],"_cs_tags":["cve","weak-password","account-takeover"],"_cs_type":"advisory","_cs_vendors":["Apostrophe"],"content_html":"\u003cp\u003eApostropheCMS is vulnerable to a critical account takeover flaw (CVE-2026-45013) stemming from a weak password reset implementation. The vulnerability resides in \u003ccode\u003emodules/@apostrophecms/login/index.js\u003c/code\u003e within the \u003ccode\u003eresetRequest\u003c/code\u003e route. The issue arises when \u003ccode\u003eapos.baseUrl\u003c/code\u003e is not explicitly configured, causing the application to construct the password reset URL using the \u003ccode\u003eHost\u003c/code\u003e header of the incoming HTTP request. This allows an unauthenticated attacker, knowing a victim\u0026rsquo;s email address, to craft a password reset request that directs the victim to a malicious domain under the attacker\u0026rsquo;s control. The victim unknowingly provides the valid reset token to the attacker when clicking the link, enabling full account takeover. This vulnerability affects ApostropheCMS versions up to and including 4.29.0. It matters for defenders because successful exploitation requires minimal attacker effort and can lead to significant data breaches or unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a valid user\u0026rsquo;s email address, potentially through publicly accessible information on the target website.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request to the \u003ccode\u003e/api/v1/login/reset-request\u003c/code\u003e endpoint, setting the \u003ccode\u003eHost\u003c/code\u003e header to a domain they control (e.g., \u003ccode\u003eevil.attacker.com\u003c/code\u003e). The request body includes the victim\u0026rsquo;s email address in JSON format.\u003c/li\u003e\n\u003cli\u003eThe server, lacking a configured \u003ccode\u003eapos.baseUrl\u003c/code\u003e, uses the attacker-controlled \u003ccode\u003eHost\u003c/code\u003e header to generate a password reset link.\u003c/li\u003e\n\u003cli\u003eThe application sends a password reset email to the victim, containing a URL that points to the attacker\u0026rsquo;s domain. This URL includes a valid, server-generated reset token and the victim\u0026rsquo;s email address as query parameters.\u003c/li\u003e\n\u003cli\u003eThe victim, believing the email to be legitimate, clicks the malicious link.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser sends a GET request to the attacker\u0026rsquo;s server, including the valid reset token and email address in the query parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server captures the reset token and email address from the incoming request.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured token and email address to submit a password reset request to the legitimate \u003ccode\u003e/api/v1/login/reset\u003c/code\u003e endpoint, setting a new password for the victim\u0026rsquo;s account, resulting in full account takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-45013 allows an attacker to gain full control of any user account for which they know the email address. This can lead to unauthorized access to sensitive data, modification of website content, and potential further compromise of the entire ApostropheCMS instance. The vulnerability requires no authentication and minimal interaction from the victim, making it easily exploitable at scale. The impact is especially high for deployments where \u003ccode\u003eapos.baseUrl\u003c/code\u003e is not configured, which is common in development environments and some production setups.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately configure the \u003ccode\u003eapos.baseUrl\u003c/code\u003e option in your ApostropheCMS deployment to mitigate CVE-2026-45013, as described in the advisory\u0026rsquo;s \u0026ldquo;Remediation\u0026rdquo; section. This will prevent the application from using the attacker-controlled \u003ccode\u003eHost\u003c/code\u003e header when generating password reset URLs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect ApostropheCMS Weak Password Reset Request\u0026rdquo; to identify attempted exploitation by monitoring for password reset requests with a suspicious Host header.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Access to Password Reset URL\u0026rdquo; to detect when a user clicks on a password reset link from an attacker-controlled host.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T18:30:26Z","date_published":"2026-05-14T18:30:26Z","id":"https://feed.craftedsignal.io/briefs/2026-05-weak-password-reset/","summary":"ApostropheCMS is vulnerable to account takeover due to a weak password recovery mechanism; the password reset flow constructs the reset URL using `req.hostname`, derived from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is not explicitly configured, enabling account takeover if the victim clicks a malicious password reset link.","title":"ApostropheCMS Account Takeover via Weak Password Reset Mechanism (CVE-2026-45013)","url":"https://feed.craftedsignal.io/briefs/2026-05-weak-password-reset/"}],"language":"en","title":"CraftedSignal Threat Feed — Weak-Password","version":"https://jsonfeed.org/version/1.1"}