CVE-2024-45981 is a host header injection vulnerability identified in BookReviewLibrary version 1.0. The vulnerability arises due to insufficient validation of the HTTP Host header in the password reset functionality. Attackers can craft a malicious password reset URL containing a manipulated Host header value. When a legitimate user interacts with this crafted link, the application incorrectly processes the Host header, allowing the attacker to intercept or obtain the password reset token. This token can then be used to reset the user's password, effectively granting the attacker unauthorized access to the victim's account. The vulnerability is classified under CWE-601, which involves open redirect or improper validation of URLs, facilitating phishing or token theft attacks. The CVSS v3.1 base score is 8.8, reflecting high impact across confidentiality, integrity, and availability, with an attack vector of network (remote), low attack complexity, no privileges required, but requiring user interaction. No patches or official fixes are currently listed, and no known exploits have been reported in the wild as of the publication date. The vulnerability's exploitation scope is limited to BookReviewLibrary 1.0 installations that expose password reset functionality and do not implement additional host header validation or token protections.

The exploitation of this vulnerability can lead to severe consequences for affected organizations. Attackers gaining access to password reset tokens can hijack user accounts, potentially leading to unauthorized access to sensitive data, privilege escalation, and further lateral movement within the affected environment. Confidentiality is compromised as attackers can access private user information. Integrity is impacted because attackers can change account credentials and potentially manipulate user data. Availability could be affected if attackers lock out legitimate users by changing passwords or disrupting account access. For organizations relying on BookReviewLibrary 1.0, especially those handling sensitive or personal data, this vulnerability poses a significant risk of data breaches and reputational damage. The requirement for user interaction means phishing or social engineering campaigns could be used to trick users into clicking malicious links, increasing the attack surface. The lack of known exploits currently provides a window for proactive mitigation before widespread exploitation occurs.

To mitigate CVE-2024-45981, organizations should implement strict validation of the Host header in all HTTP requests, ensuring it matches a whitelist of trusted domains or expected values. Employing canonicalization and normalization techniques can prevent header manipulation. Additionally, password reset tokens should be bound to the original request context and validated server-side to prevent token leakage or reuse. Implementing multi-factor authentication (MFA) can reduce the impact of compromised credentials. Monitoring and logging unusual password reset requests and link clicks can help detect exploitation attempts. If possible, upgrade or patch BookReviewLibrary to a fixed version once available. In the interim, consider disabling password reset functionality or adding CAPTCHA and email verification steps to reduce automated exploitation risk. Educate users about phishing risks and encourage caution when clicking password reset links from untrusted sources. Network-level protections such as web application firewalls (WAFs) can be configured to detect and block suspicious Host header values. Finally, conduct regular security assessments and code reviews focusing on input validation and authentication workflows.