{"id":"CVE-2021-30185","details":"CERN Indico before 2.3.4 can use an attacker-supplied Host header in a password reset link.","aliases":["GHSA-wgpj-7c2j-vfjm","PYSEC-2021-18"],"modified":"2026-04-10T04:32:18.712356Z","published":"2021-04-07T14:15:17.267Z","references":[{"type":"ADVISORY","url":"https://github.com/indico/indico/releases/tag/v2.3.4"},{"type":"ADVISORY","url":"https://www.shorebreaksecurity.com/blog/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/indico/indico","events":[{"introduced":"0"},{"fixed":"dbf09025d3fd96b7a238ed0f5f1057f494d1feff"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.3.4"}]}}],"versions":["v0.97b","v0.97b2","v1.9.11.dev3","v1.9.11.dev6","v1.9.11.dev7","v1.9.11.dev8","v1.9.11.dev9","v1.9.9","v2.0a1","v2.0rc1","v2.1","v2.1a1","v2.1a2","v2.1a3","v2.1b1","v2.1rc1","v2.1rc2","v2.1rc3","v2.1rc4","v2.1rc5","v2.1rc6","v2.2","v2.3","v2.3.1","v2.3.2","v2.3.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-30185.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}