Arbitrary HTTP Host Header Phishing Vulnerability in Embedthis GoAhead 2.5.0

Arbitrary HTTP Host Header Phishing Vulnerability in Embedthis GoAhead 2.5.0

CVE-2019-16645 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack.

Learn more about our Phishing Simulation.