Login Sign Up

CVE-2024-26470

8.1 HIGH
Authentication Bypass

📋 TL;DR

A host header injection vulnerability in FullStackHero's WebAPI Boilerplate allows attackers to leak password reset tokens by manipulating the host header in forgot password requests. This enables unauthorized password resets for user accounts. Affects organizations using versions 1.0.0 or 1.0.1 of this .NET web API boilerplate.

💻 Affected Systems

Products:
  • FullStackHero WebAPI Boilerplate
Versions: v1.0.0 and v1.0.1
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects applications built using this boilerplate with the forgot password functionality enabled.

📦 What is this software?

.net 9 Starter Kit by Fullstackhero

View all CVEs affecting .net 9 Starter Kit →

.net 9 Starter Kit by Fullstackhero

View all CVEs affecting .net 9 Starter Kit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers reset passwords for all user accounts, gaining unauthorized access to sensitive data and systems.

🟠

Likely Case

Targeted account takeover of specific users through password reset token leakage.

🟢

If Mitigated

Limited impact with proper input validation and token security controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted HTTP requests with manipulated host headers to the forgot password endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Implement Host Header Validation

all

Add server-side validation to reject or sanitize host headers in forgot password requests.

Implement middleware to validate Host header against allowed domains

Disable Forgot Password Functionality

all

Temporarily disable the vulnerable forgot password endpoint until a fix is available.

Comment out or remove forgot password route/controller

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block requests with suspicious host headers
  • Monitor logs for unusual forgot password requests and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Test by sending a forgot password request with a manipulated Host header and checking if token is leaked in response or logs.

Check Version:

Check package version in project file or NuGet package manager

Verify Fix Applied:

Verify that host header validation is implemented and test with crafted requests to confirm token leakage is prevented.

📡 Detection & Monitoring

Log Indicators:

  • Unusual host header values in forgot password requests
  • Multiple password reset attempts from same IP

Network Indicators:

  • HTTP requests to forgot password endpoint with non-standard host headers

SIEM Query:

source="web_logs" AND uri_path="/api/auth/forgot-password" AND host_header!="expected-domain.com"

📊 Metadata

CVE ID: CVE-2024-26470
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-200
Published: February 29, 2024
Last Updated: April 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26470, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)