Description
The sisqualWFM 7.1.319.103 thru 7.1.319.111 for Android, has a host header injection vulnerability in its "/sisqualIdentityServer/core/" endpoint. By modifying the HTTP Host header, an attacker can change webpage links and even redirect users to arbitrary or malicious locations. This can lead to phishing attacks, malware distribution, and unauthorized access to sensitive resources.
Exploits (1)
nomisec
WRITEUP
by omershaik0 · poc
https://github.com/omershaik0/CVE-2023-36085_SISQUALWFM-Host-Header-Injection
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://github.com/omershaik0/Handmade_Exploits/tree/main/SISQUALWFM-Host-Header-Injection-CVE-2023-36085
Exploit, Third Party Advisory
http://packetstormsecurity.com/files/176991/SISQUAL-WFM-7.1.319.103-Host-Header-Injection.html
Scores
CVSS v3
6.1
EPSS
0.0022
EPSS Percentile
44.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-601
Status
published
Products (1)
sisqualwfm/sisqualwfm
7.1.319.103 - 7.1.319.111
Published
Oct 25, 2023
Tracked Since
Feb 18, 2026