The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Weak Password Recovery Mechanism for Forgotten Password vulnerabilities in an interactive lesson.
Start learningUpgrade apostrophe to version 4.30.0 or higher.
apostrophe is a content management system (CMS) for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS.
Affected versions of this package are vulnerable to Weak Password Recovery Mechanism for Forgotten Password via the resetRequest flow in the login module. An attacker can cause password reset emails to contain links to an attacker-controlled domain by sending a crafted Host header in a POST /api/v1/@apostrophecms/login/reset-request request, which can leak the reset token and allow the attacker to take over the victim’s account.
Notes
passwordReset: true in the login module and only affects deployments that leave apos.baseUrl unset.baseUrl for the ApostropheCMS Express configuration, or set the APOS_BASE_URL environment variable, before enabling passwordReset: true; this prevents password reset emails from being built from the attacker-controlled Host header and stops reset links from pointing to an attacker-controlled domain.