CVE-2024-42903: 
NixOS vulnerability analysis and mitigation

A Host header injection vulnerability was discovered in the password reset function of LimeSurvey versions up to and including v.6.6.1+240806. The vulnerability was disclosed and assigned CVE-2024-42903. This security flaw affects the password reset functionality of LimeSurvey installations (NVD, MITRE).

The vulnerability allows attackers to manipulate the Host header during password reset requests. The application uses the Request Host Header to construct the password reset link without proper validation. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. It is classified as CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (NVD).

When exploited, this vulnerability allows attackers to send users crafted password reset links that direct victims to malicious domains. This could potentially lead to credential theft if users click on the malicious password reset links (NVD, GitHub Advisory).

The vulnerability has been fixed in LimeSurvey version 6.6.1+240806. Users are advised to upgrade to this version or later to address the security issue. The fix includes implementation of proper host validation in the password reset functionality (LimeSurvey Patch).