"ASP.NET Kestrel Web Application HTML Injection Flaw Lets Remote Users Reset the Target User's Password
A vulnerability was reported in ASP.NET. A remote user can inject HTML to reset the target user's password.
Kestrel web applications do not properly validate web input. A remote user can supply a specially crafted request to inject HTML and cause a 'password reset' email to be sent to the target user. The password reset may be triggered when the target user opens the email."
(edit)
So I guess the host header somehow ends up in the password reset email without any filtering/escaping? Maybe you could abuse that by turning the password reset link into an <img> link to a server you control, with the password reset secret at the end. Once the image is loaded you get the password reset secret and can use that to get into the account. Something like that?
Not sure if I would classify that as a Kestrel issue.
This sounds like something along the lines of password reset poisoning as described in James Kettles' technical write-up "Practical HTTP Host header attacks". [1]
There's slightly more info here, which makes it sound somewhat less severe:
https://securitytracker.com/id/1040525
"ASP.NET Kestrel Web Application HTML Injection Flaw Lets Remote Users Reset the Target User's Password
A vulnerability was reported in ASP.NET. A remote user can inject HTML to reset the target user's password.
Kestrel web applications do not properly validate web input. A remote user can supply a specially crafted request to inject HTML and cause a 'password reset' email to be sent to the target user. The password reset may be triggered when the target user opens the email."
(edit) So I guess the host header somehow ends up in the password reset email without any filtering/escaping? Maybe you could abuse that by turning the password reset link into an <img> link to a server you control, with the password reset secret at the end. Once the image is loaded you get the password reset secret and can use that to get into the account. Something like that?
Not sure if I would classify that as a Kestrel issue.