CVE-2016-7903

low

Published 2017-01-04 · Modified 2026-05-06

CVSS v3

3.7

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v2

4.3

VIR risk

3.7

Description

Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header.

Predictions

Exploit likelihood

47%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://hg.dotclear.org/dotclear/rev/bb06343f4247

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://dotclear.org/blog/post/2016/11/01/Dotclear-2.10.3

Application impact

Vendor	Product	Versions	Fixed
dotclear	dotclear	`{"endIncluding":"2.10.2"}`

References

http://www.openwall.com/lists/oss-security/2016/10/05/5
http://www.securityfocus.com/bid/93439
https://dotclear.org/blog/post/2016/11/01/Dotclear-2.10.3
https://hg.dotclear.org/dotclear/rev/bb06343f4247
http://www.openwall.com/lists/oss-security/2016/10/05/5
http://www.securityfocus.com/bid/93439
https://dotclear.org/blog/post/2016/11/01/Dotclear-2.10.3
https://hg.dotclear.org/dotclear/rev/bb06343f4247

CWEs

CWE-264

Verify integrity in audit chain (admin only). AS-IS.