CVE-2024-46452 describes a Host Header Injection vulnerability found in the password reset functionality of the VigyBag Open Source Online Shop, specifically in the codebase at commit 3f0e21b. Host Header Injection occurs when an application uses the HTTP Host header value without proper validation or sanitization, allowing an attacker to manipulate this header to influence application behavior. In this case, the vulnerability enables attackers to craft malicious URLs that exploit the password reset process to redirect users to attacker-controlled websites. This redirection can facilitate phishing attacks, credential theft, or distribution of malware by misleading users into believing they are interacting with a legitimate site. The vulnerability has a CVSS 3.1 base score of 6.1, categorized as medium severity. The vector indicates the attack can be performed remotely (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity to a limited extent (C:L, I:L), with no impact on availability (A:N). No known exploits are currently reported in the wild, and no patches or vendor advisories are available at this time. The vulnerability is classified under CWE-74 (Improper Neutralization of HTTP Headers for Web Requests).

For European organizations utilizing the VigyBag Open Source Online Shop platform, this vulnerability poses a significant risk primarily to user trust and data confidentiality. Attackers exploiting this flaw can redirect users during password reset workflows to malicious sites, potentially harvesting credentials or delivering malware payloads. This can lead to account compromise, unauthorized access to sensitive customer data, and reputational damage. Given the password reset function is a critical security feature, exploitation undermines the integrity of authentication processes. Although the vulnerability does not directly impact system availability, the indirect consequences such as phishing campaigns or subsequent attacks leveraging stolen credentials could have broader operational impacts. Organizations in sectors with high regulatory scrutiny around data protection, such as finance, healthcare, and e-commerce, may face compliance risks under GDPR if customer data is compromised due to this vulnerability. The lack of patches increases the window of exposure, emphasizing the need for immediate mitigation.

1. Implement strict validation and sanitization of the Host header in all HTTP requests, especially within the password reset functionality. Reject or ignore requests with unexpected or untrusted Host header values. 2. Use a fixed, server-side configured hostname or whitelist of allowed hostnames when generating URLs for password reset emails or redirects, rather than relying on client-supplied Host headers. 3. Employ URL encoding and output encoding techniques to prevent injection of malicious content in URLs. 4. Monitor and log unusual password reset requests and redirection patterns to detect potential exploitation attempts. 5. Educate users to verify URLs in password reset emails carefully and to report suspicious redirections. 6. If possible, temporarily disable the password reset feature or implement multi-factor authentication (MFA) to reduce risk until a patch or update is available. 7. Engage with the open source community or maintainers of VigyBag to prioritize development and deployment of a security patch addressing this vulnerability.