Description Craft CMS before 2.6.2976 does not prevent modification of the URL in a forgot-password email message. Remediation References CVE-2017-8385 Related Vulnerabilities Jboss EAP Uncontrolled Resource Consumption Vulnerability (CVE-2014-0118) Vulnerable package dependencies [high] WebLogic Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-11022) WordPress Plugin Knews Multilingual Newsletters 'ff' Parameter Cross-Site Scripting (1.1.0) CrushFTP Server Improper Validation of Integrity Check Value Vulnerability (CVE-2023-48795) Severity Medium Classification CVE-2017-8385 CWE-640 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Tags Missing Update Known Vulnerabilities