An unauthenticated attacker can perform a password reset spoofing attack against LimeSurvey by injecting a malicious HTTP Host header.

The application incorrectly uses the client-supplied HTTP Host header to construct password-reset links. An unauthenticated attacker can spoof this header to redirect reset tokens to an attacker-controlled server, leading to full account takeover.

The CVSS score of 8.8 reflects the high risk of this vulnerability. Successful exploitation allows an attacker to intercept legitimate password reset tokens, enabling unauthorized access to administrative or user accounts. This could result in the theft of sensitive survey data and total compromise of the application's user base.

Immediate Action: Configure the 'allowedHosts' allowlist in the LimeSurvey settings to explicitly define permitted hostnames and reject all others.

Proactive Monitoring: Monitor web server logs for suspicious Host headers or requests that appear to be attempting to spoof the application domain.

Compensating Controls: Deploy a Web Application Firewall (WAF) to validate and filter the Host header in incoming HTTP requests before they reach the application.

Public Exploit Available: false

Administrators should immediately verify their LimeSurvey configuration and ensure the 'allowedHosts' allowlist is correctly implemented. Given the ease with which this can lead to account takeover, immediate hardening of the Host header validation is required to secure the platform.