{"api_version":"1","generated_at":"2026-06-10T12:15:35+00:00","cve":"CVE-2016-7903","urls":{"html":"https://cve.report/CVE-2016-7903","api":"https://cve.report/api/cve/CVE-2016-7903.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-7903","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-7903"},"summary":{"title":"CVE-2016-7903","description":"Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header.","state":"PUBLISHED","assigner":"mitre","published_at":"2017-01-04 21:59:00","updated_at":"2026-05-06 22:30:45"},"problem_types":["CWE-264","n/a"],"metrics":[{"version":"3.0","source":"nvd@nist.gov","type":"Primary","score":"3.7","severity":"LOW","vector":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"4.3","severity":"","vector":"AV:N/AC:M/Au:N/C:N/I:P/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"}}],"references":[{"url":"https://hg.dotclear.org/dotclear/rev/bb06343f4247","name":"https://hg.dotclear.org/dotclear/rev/bb06343f4247","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"Dotclear: changeset 3352:bb06343f4247","mime":"text/html","httpstatus":"503","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/93439","name":"http://www.securityfocus.com/bid/93439","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Dotclear 'admin/auth.php' Password Reset Security Bypass Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://dotclear.org/blog/post/2016/11/01/Dotclear-2.10.3","name":"https://dotclear.org/blog/post/2016/11/01/Dotclear-2.10.3","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Vendor Advisory"],"title":"Dotclear 2.10.3 › Dotclear News › Dotclear › Blog management made easy","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2016/10/05/5","name":"http://www.openwall.com/lists/oss-security/2016/10/05/5","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"],"title":"oss-security - CVE-2016-7903: Dotclear <= 2.10.2 Password Reset Address Spoof","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-7903","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-7903","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"7903","vulnerable":"1","versionEndIncluding":"2.10.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"dotclear","cpe5":"dotclear","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2016","cve_id":"7903","cve":"CVE-2016-7903","epss":"0.002760000","percentile":"0.509880000","score_date":"2026-05-11","updated_at":"2026-05-12 00:01:18"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T02:13:20.504Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://dotclear.org/blog/post/2016/11/01/Dotclear-2.10.3"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://hg.dotclear.org/dotclear/rev/bb06343f4247"},{"name":"93439","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/93439"},{"name":"[oss-security] 20161005 CVE-2016-7903: Dotclear <= 2.10.2 Password Reset Address Spoof","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"http://www.openwall.com/lists/oss-security/2016/10/05/5"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2016-10-05T00:00:00.000Z","descriptions":[{"lang":"en","value":"Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2017-01-05T10:57:01.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"tags":["x_refsource_CONFIRM"],"url":"https://dotclear.org/blog/post/2016/11/01/Dotclear-2.10.3"},{"tags":["x_refsource_CONFIRM"],"url":"https://hg.dotclear.org/dotclear/rev/bb06343f4247"},{"name":"93439","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/93439"},{"name":"[oss-security] 20161005 CVE-2016-7903: Dotclear <= 2.10.2 Password Reset Address Spoof","tags":["mailing-list","x_refsource_MLIST"],"url":"http://www.openwall.com/lists/oss-security/2016/10/05/5"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2016-7903","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://dotclear.org/blog/post/2016/11/01/Dotclear-2.10.3","refsource":"CONFIRM","url":"https://dotclear.org/blog/post/2016/11/01/Dotclear-2.10.3"},{"name":"https://hg.dotclear.org/dotclear/rev/bb06343f4247","refsource":"CONFIRM","url":"https://hg.dotclear.org/dotclear/rev/bb06343f4247"},{"name":"93439","refsource":"BID","url":"http://www.securityfocus.com/bid/93439"},{"name":"[oss-security] 20161005 CVE-2016-7903: Dotclear <= 2.10.2 Password Reset Address Spoof","refsource":"MLIST","url":"http://www.openwall.com/lists/oss-security/2016/10/05/5"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2016-7903","datePublished":"2017-01-04T21:00:00.000Z","dateReserved":"2016-09-09T00:00:00.000Z","dateUpdated":"2024-08-06T02:13:20.504Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2017-01-04 21:59:00","lastModifiedDate":"2026-05-06 22:30:45","problem_types":["CWE-264","n/a"],"metrics":{"cvssMetricV30":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":3.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":1.4}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","baseScore":4.3,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:dotclear:dotclear:*:*:*:*:*:*:*:*","versionEndIncluding":"2.10.2","matchCriteriaId":"BEBA8D8D-0F8C-4FB0-933F-F1481EB4458C"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"7903","Ordinal":"1","Title":"CVE-2016-7903","CVE":"CVE-2016-7903","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"7903","Ordinal":"1","NoteData":"Dotclear before 2.10.3, when the Host header is not part of the web server routing process, allows remote attackers to modify the password reset address link via the HTTP Host header.","Type":"Description","Title":"CVE-2016-7903"},{"CveYear":"2016","CveId":"7903","Ordinal":"2","NoteData":"2017-01-04","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"7903","Ordinal":"3","NoteData":"2017-01-05","Type":"Other","Title":"Modified"}]}}}