CubeCart versions prior to 6.7.2 (specifically 6.6.x to 6.7.1) improperly construct the CC_STORE_URL constant from the Host request header without an allowlist or validation. This URL is used verbatim in transactional emails, including password reset links generated by User::passwordRequest() and Admin::passwordRequest(). An attacker can send a POST request to /index.php?_a=recover with a malicious Host header (e.g., evil.com), causing CubeCart to generate a valid password reset token linked to the attacker-controlled domain. The victim receives an email with a reset link pointing to the attacker’s domain, and if clicked, the attacker can use the token to gain full account or store takeover. The vulnerability is identified as CWE-20 (Improper Input Validation) among others and has a CVSS 3.1 score of 8.1 (High severity). The issue is resolved in CubeCart version 6.7.2.

Successful exploitation allows an unauthenticated attacker to perform account takeover of any user by tricking them into clicking a password reset link that points to an attacker-controlled domain. This includes potential full store takeover if an administrator's email is targeted. The attacker can generate valid password reset tokens that are accepted by the legitimate store, leading to compromise of user credentials and administrative control.

This vulnerability is fixed in CubeCart version 6.7.2. Users should upgrade to version 6.7.2 or later to remediate this issue. There is no official vendor advisory provided here, and no patch links are listed, but the fix is confirmed in version 6.7.2. Until upgrading, users should be cautious of password reset emails and verify URLs carefully. Patch status is confirmed by the version update; no temporary or alternative mitigations are indicated.