{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0.04.01" }, { "last_affected": "0.6.74-wip-63220cb" }, { "introduced": "0.2020.22-wip-b2e97fe0e" }, { "last_affected": "0.2021.02-wip-879ef3fe1" }, { "introduced": "tyse-v0.2021.02-879ef3fe1-regular" }, { "last_affected": "tyse-v0.2021.28-af66b6905-regular" } ] }, "events": [ { "introduced": "8e90aa7d2eb75c1e43026008c6a7a360a9c39eb8" }, { "last_affected": "63220cb02e4036b9ad13b5636c3eccab52a2d16a" }, { "introduced": "b2e97fe0e77f68ae5fe045c0be27d357a3124c6c" }, { "last_affected": "879ef3fe1e622c6d169ed775af32a1999c4cb6c5" }, { "introduced": "879ef3fe1e622c6d169ed775af32a1999c4cb6c5" }, { "last_affected": "af66b690544d0c172d365b0129cca7779d4907ef" }, { "fixed": "4067e191a909ed06f250d09a40e43aa5edbb0289" } ], "repo": "https://github.com/debiki/talkyard", "type": "GIT" } ] } ], "details": "In Talkyard, versions v0.04.01 through v0.6.74-WIP-63220cb, v0.2020.22-WIP-b2e97fe0e through v0.2021.02-WIP-879ef3fe1 and tyse-v0.2021.02-879ef3fe1-regular through tyse-v0.2021.28-af66b6905-regular, are vulnerable to Host Header Injection. By luring a victim application-user to click on a link, an unauthenticated attacker can use the “forgot password” functionality to reset the victim’s password and successfully take over their account.", "id": "CVE-2021-25980", "modified": "2026-03-13T21:54:39.913550776Z", "published": "2021-11-11T07:15:11.380Z", "references": [ { "type": "ADVISORY", "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25980" }, { "type": "FIX", "url": "https://github.com/debiki/talkyard/commit/4067e191a909ed06f250d09a40e43aa5edbb0289" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }