Host header attack when use reset password

I deploy Orangescrum following the guideline for docker [https://hub.docker.com/r/orangescrum/orangescrum-app](url) When I try to change the host to attacker in the request that reset pass throught email (use burp suite) then received email contain it.
=> This issue lead to TakeOver Account, so any solutions to fix it
- Change the host to attacker
![Screen Shot 2021-01-03 at 5 35 14 PM](https://user-images.githubusercontent.com/55070883/103476734-ed120800-4dea-11eb-9e8b-0eb73fee838d.png)
- Email
![Screen Shot 2021-01-03 at 5 38 07 PM](https://user-images.githubusercontent.com/55070883/103476733-e8e5ea80-4dea-11eb-876a-47e93f81f661.png)

 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Host header attack when use reset password #216

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development