ApostropheCMS is vulnerable to an unauthenticated account takeover flaw that allows attackers to redirect password reset links to malicious domains.

This is a Host header manipulation vulnerability within the password reset flow. An unauthenticated attacker can trigger a password reset for a known email address, causing the application to send a reset link that directs the victim to an attacker-controlled domain, facilitating full account takeover.

With a CVSS score of 8.1 (High), this vulnerability poses a severe risk to organizational security. Successful exploitation allows unauthorized parties to gain full control over user accounts, potentially leading to unauthorized data access, intellectual property theft, and loss of administrative control over the CMS platform.

Immediate Action: Manually configure the "apos.baseUrl" setting within the application configuration to explicitly define the expected domain and prevent Host header manipulation.

Proactive Monitoring: Review application logs for anomalous password reset requests or unexpected patterns in outgoing email traffic.

Compensating Controls: Implement a Web Application Firewall (WAF) to inspect and sanitize incoming HTTP Host headers, blocking requests that do not match the expected environment domain.

Public Exploit Available: false

Given the high impact of account takeover, administrators must prioritize hardening the CMS configuration immediately. While no vendor patch is currently available, setting the "apos.baseUrl" is a critical security control to mitigate this risk.