cythera-logo-darkmode
Are you experiencing a security incident?
Incident Response
Assess & Improve
Detect & Respond
Protect & Secure
Advise & Empower
Resources
Case Studies
Real-world examples
Articles
In-depth insights
Advisories
Newly discovered threats
About us
Leadership Team
Meet the experts
Events
Join upcoming events
Award & Certifications
Industry recognitions
Vendor Partners
Trusted vendors
Talk to an expert
Service Category
Services
Popular Services
Employee Cyber Training & Awareness
Train smart and stay secure
Advisory
Secure smarter with strategic security advisory
Managed Protection
Always-on protection. Smarter security
Security Architecture
Security that drives real results, cloud to full stack
Digital Forensics & Incident Response
DFIR experts, ready when you need them.
Cyber Threat Intelligence
Real time insights from Cassini CTI
Managed Detection & Response
Our experts watch, so you don’t have to.
Certification & Accreditation
Get certified with ease
Audit & Assurance
Audits you trust. Assurance that drives action.
Governance, Risk & Compliance
Simplfy compliance, strengthen protection
Cyber Maturity Assessments
Level up your cyber security game
Penetration Testing
Penetration testing that spots weaknesses
Case Studies
    
Articles
    
Advisories
    
Web Filter, CASB & DLP (Cloud Access Security Broker & Data Loss Prevention)
Web Application Penetration Testing
Vulnerability Management
Vulnerability Assessment
vITSM
Virtual Security Architect (vSecArch)
vCISO
System Security Plan
System Architecture, Design & Implementation
Strategic Security Consulting
SWIFT CSCF
Specialist Testing
Source Code Review
Social Engineering & Phishing
Security Policy and Standard Development
Security Incident Response Testing
Security Awareness Training
Secure Access Service Edge (SASE)
Risk Management
Risk Assessment
Red Teaming
Purple Teaming
NIST CSF Maturity Uplift
Payment Card Industry (PCI)
OT/SCADA Network Penetration Test
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
Incident Response Tabletop Exercise
Incident Response
Forensics
External Penetration Testing
Executive & Board Reporting
Executive and Board Security Governance Training
Essential Eight Assessment
Endpoint Protection
Email Security
DevSecOps Review & Implementation
Denial of Service (DoS) Testing
Design Reviews
Dark Web Monitoring
Controls Validation Audit
Continuous Certification
Compliance Programme Management
Configuration Reviews
Cloud Security Configuration
Cloud Posture & Security
CIS Critical Controls Assessment
Automated Patch Management
CI/CD Health Check
Artificial Intelligence (AI) Penetration Test
All of Government Marketplace
Advanced OSINT Training Course
Application Penetration Tests
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
External Penetration Testing
Essential Eight Assessment
Denial of Service (DoS) Testing
Dark Web Monitoring
cythera-logo-darkmode
Advise & Empower
Explore Solutions
Protect & Secure
Explore Solutions
Detect & Respond
Explore Solutions
Assess & Improve
Explore Solutions
Resources
Articles
Advisories
About Us
Explore Bastion
Leadership Team
Events
Award & Certifications
Our Community
Vendor Partners
Employee Cyber Training & Awareness
Advisory
Managed Protection
Security Architecture
Digital Forensics & Incident Response
Cyber Threat Intelligence
Managed Detection & Response
Certification & Accreditation
Audit & Assurance
Governance, Risk & Compliance
Cyber Maturity Assessments
Penetration Testing
Popular Services
NIST CSF Assessment
ISO 27001
Internal Penetration Testing
Incident Response
Talk to an expert
Resources
About Us
Advisories
>
Silverstripe - Host Header Injection
Cythera Cyber Security

Silverstripe - Host Header Injection

Silverstripe CMS is affected by a Host Header Injection flaw, which can be exploited to manipulate password reset workflows, potentially redirecting or compromising user data.
Talk to an expert

The client

In a separate engagement, Cythera discovered a Host header injection vulnerability in Silverstripe CMS that could lead to account takeover. Although initially deemed a web server misconfiguration, continued investigations by Cythera revealed recurring instances of the vulnerability across multiple deployments, prompting deeper analysis into its causes and mitigation.

The vulnerability

Silverstripe, in its typical configuration, uses the Host header from incoming HTTP requests to construct application URLs — including password reset links.In a notable case observed in November 2021, a critical flaw was found in the password reset process. The application generated reset links using the Host header without validation. An attacker could exploit this by sending a password reset request for a target user while injecting a malicious host value. If the victim received and clicked the reset email, the reset token would be directed to the attacker’s server, enabling account compromise.

Host Header Injection in Silverstripe

To carry out this attack, an attacker must first know a valid email address associated with the target Silverstripe account. According to previous disclosures, techniques such as time-based enumeration could help attackers discover valid accounts. In certain cases, including an X-Forwarded-For header containing a domain controlled by the attacker was necessary for exploitation.

Further Investigation

Security researcher Will Frame conducted an analysis of publicly available Silverstripe websites to evaluate the scope of exposure. He examined whether the sites accepted arbitrary Host headers and if the "Lost Password" page was publicly accessible.

Out of 2,511 Silverstripe sites tested:

  • 1,305 sites accepted arbitrary Host headers and exposed the password reset page without requiring authentication.
  • 207 of these used Microsoft email hosting, allowing for password reset tokens to be automatically retrieved via Microsoft's SafeLinks URL scanning feature — without any user interaction.
  • It's also worth noting that some other mail servers, although not explicitly using Microsoft’s MX records, routed email through Outlook infrastructure, potentially exposing them to the same risk. These were not included in the tally.

Recommended Remediation

To prevent this vulnerability, Silverstripe recommends explicitly listing allowed Host values in the application's .env configuration file. This blocks requests with forged headers from reaching the application.

Additional best practices include:

  • Enabling multi-factor authentication (MFA) for all administrator accounts.
  • Applying rate-limiting to protect against one-time passcode brute-force attempts.
  • Preventing account enumeration through timing attacks.

More technical guidance on these measures is available in Silverstripe’s secure coding documentation, MFA setup guide, and rate-limiting documentation.

Vulnerability Disclosure Timeline

  • 21 Oct 2021 – Initial issue reported to Silverstripe.
  • 22 Oct 2021 – Additional technical analysis submitted.
  • 26 Oct 2021 – CVE-2021-43031 assigned.
  • 18 Nov 2021 – Silverstripe classified the issue as a "security enhancement", citing that it depends on insecure server configurations to be exploited.
  • 01 Oct 2024 – Discovery of the SafeLinks-related zero-click issue.
  • 14–16 Nov 2024 – Further research across multiple clients revealed widespread exposure.
  • 03 Dec 2024 – Issue reported to CERT/NCSC, along with a list of affected New Zealand websites.
  • 21 Jan 2025 – Public advisory released with CERT approval.

CIO
Government Agency
Cythera operates as an extension of our team. When we call there is an immediate response and the person that answers our call is the person that resolves our issue. Cythera understands our network, and more importantly, has taken the time to understand our business. We find it easy to work with Cythera. They are approachable, flexible and have taken the time to build deep relationships with our team. It is a partnership and friendship. Cythera’s personalised, highly specialised services makes all the difference. We would recommend Cythera to anyone in the industry looking for a managed services partner.
Expert methods

We have the tools to pinpoint risks

Whether it’s hidden vulnerabilities or patterns you might miss, we help you stay one step ahead and make confident, informed decisions. Understand how our services can help your business uncover critical risks

Talk to an expert
Employee Cyber Training & Awareness
Your people are your first line of defence. Our cyber training builds awareness sharpens instincts and turns everyday staff into assets.
Advisory
When clarity is critical and stakes are high, our advisory services deliver strategic, executive-level security expertise that empowers decision-making and resilient operations.
Advise & Empower
Protect & Secure
Detect & Respond
Assess & Improve
Back to top
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Dark
Resources
Case StudiesArticlesAdvisoriesOur ISO 27001 Certificate
About UsLeadership TeamEventsAwards & CertificationsOur CommunityVendor Partnership
Are you experiencing a security breach?
Incident Response
1300 298 437
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
© Copyright 2025. All rights reserved