CVE-2025-62406
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-11-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| piwigo | piwigo | 15.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Piwigo 15.6.0 involves the password reset function, which sends a password-reset URL based on the HTTP request's Host header without validating it. An attacker can exploit this by modifying the hostname in the URL sent to a user whose username or email is known or guessed, potentially redirecting the user to a malicious site.
How can this vulnerability impact me? :
The vulnerability can lead to phishing attacks where users receive password reset links with malicious hostnames, potentially allowing attackers to steal credentials or reset passwords unauthorizedly. This compromises confidentiality and integrity of user accounts.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Piwigo to version 15.7.0 or later, where this vulnerability has been patched. Until the upgrade is applied, consider restricting access to the password reset function or monitoring for suspicious password reset requests that may exploit the Host header manipulation.