CVE-2024-45979 is a high-severity host header injection vulnerability identified in Lines Police CAD 1.0, a computer-aided dispatch system used by law enforcement agencies. The vulnerability arises because the application improperly trusts the HTTP Host header during the password reset process. An attacker can craft a malicious password reset link containing a manipulated Host header. When a legitimate user interacts with this link, the system generates a password reset token that is exposed or redirected to the attacker-controlled domain or endpoint. This token can then be used by the attacker to reset the victim's password without authorization, effectively compromising the victim's account. The vulnerability requires no authentication but does require user interaction (clicking the crafted link). The CVSS v3.1 score of 8.8 reflects the network attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability. The CWE-601 classification indicates an open redirect or improper validation of URLs, which aligns with the host header injection nature of this flaw. No patches or official fixes have been released at the time of publication, and no exploits are known to be active in the wild. This vulnerability poses a significant risk to the security of user accounts and the integrity of the Lines Police CAD system, potentially allowing attackers to disrupt law enforcement operations or access sensitive information.

The exploitation of CVE-2024-45979 can lead to unauthorized account takeover by allowing attackers to reset passwords of legitimate users. This compromises the confidentiality of user credentials and sensitive data accessible through compromised accounts. Integrity is impacted as attackers can alter account settings or impersonate users within the system. Availability may also be affected if attackers lock out legitimate users or disrupt dispatch operations. For law enforcement agencies relying on Lines Police CAD 1.0, such compromises could hinder emergency response, expose sensitive operational data, and damage public trust. The requirement for user interaction limits mass exploitation but targeted phishing or social engineering campaigns could be highly effective. The lack of patches increases the window of exposure. Organizations worldwide using this software face risks of operational disruption and data breaches, with potential legal and reputational consequences.

1. Immediately implement strict validation of the HTTP Host header on the server side to ensure it matches expected, whitelisted domains. 2. Avoid using the Host header directly in password reset link generation or token handling; instead, use fixed, server-side configured URLs. 3. Employ additional verification steps in the password reset workflow, such as multi-factor authentication or secondary confirmation channels. 4. Monitor logs for unusual password reset requests or patterns indicative of host header manipulation. 5. Educate users about phishing risks and the dangers of interacting with unsolicited password reset links. 6. If possible, isolate or restrict access to the Lines Police CAD system to trusted networks to reduce exposure. 7. Coordinate with the software vendor for timely patching and updates once available. 8. Consider implementing web application firewalls (WAFs) with rules to detect and block host header injection attempts. 9. Conduct regular security assessments and penetration tests focusing on input validation and authentication flows.