Horizon Alert
Summary of the vulnerability and why it matters
This vulnerability affects the Grav API plugin, which could allow an unauthenticated attacker to redirect password reset emails to a malicious server. This could lead to the disclosure of password reset tokens and a full account takeover.
- Attackers can redirect password resets.
- Account takeover is possible via compromised links.
- Confirm relevance and exposure to user accounts.
Attack Path
How an attacker could exploit the issue
An attacker can exploit this vulnerability by sending a crafted request to the forgotten password endpoint. This request manipulates the `admin_base_url` parameter to redirect the password reset email to an attacker-controlled server. When the victim clicks the link in the email, the attacker intercepts the password reset token, allowing them to take over the victim's account.
- No authentication required.
- Triggered by a POST request to the forgotten password endpoint.
- Risk of full account takeover.
Live Threat
Current exploitation, exposure, and threat context
The Grav API plugin could allow an unauthenticated attacker to redirect password reset emails to an attacker-controlled server. When a victim clicks the link in the malicious email, a valid password reset token could be disclosed, leading to account takeover. This could occur when the plugin's password reset functionality is accessed and the attacker can influence the `admin_base_url` field, or when the `Referer` or `Origin` headers are manipulated.
- User account access.
- Malicious link redirects reset token.
- Full account takeover.
Operational Fix
Recommended remediation, mitigation, and detection steps
The Grav API plugin's handling of the `admin_base_url` field in the password reset function allows unauthenticated attackers to poison reset links, leading to account takeover. Responsibility likely falls to the platform or application owner managing the Grav CMS instance, with potential coordination needed from security and vendor management teams if a third-party integration is involved. The initial step is to identify all instances of the affected plugin, assess their exposure and business criticality, and then prioritize remediation efforts based on these findings.
- Identify Grav CMS instances and plugin usage.
- Verify plugin reachability and business criticality.
- Coordinate vendor patch or risk reduction.