CVE-2024-2463: Weak password recovery mechanism in CDeX

Vulnerability detected by me in the CDeX software offered by the company of the same name. The vulnerability allows the interception of the token used to reset the password of any user.

CVE-2024-2463: Weak password recovery mechanism in CDeX


On the software manufacturer’s website, we can read the following product description: “CDeX (Cyber Defense eXercise Platform) is a virtual training platform designed to enhance cyber defense skills and develop cybersecurity technologies. Our advanced cyber offering provides a fully scalable, automated, and hyperrealistic training environment, which allows team members to build competence in the field of cyber defense.”

Vulnerability description

Access to the platform is possible after logging in through SSO (Single Sign-On) or by using the login credentials, namely the username and password. In case of forgotten passwords, users have at their disposal a password recovery function. However, the request sent in this process does not properly verify the HOST header, which allows attackers to inject any domain. To exploit this vulnerability, the targeted person must click on the link contained in the received email.

Exploitation scenario

The example of exploiting the vulnerability is presented in the following video:


1 February 2024Report sent to CDeX
15 February 2024Report sent to CERT Polska
23 February 2024CDeX confirms the vulnerability exists
11 March 2024CDeX releases a software patch
15 March 2024CERT Polska assigns CVE-2024-2463 to this vulnerability
21 March 2024CERT Polska publishes the vulnerability

How to prevent similar vulnerabilities in your application

To prevent HTTP Host header attacks, the simplest approach is to avoid using the Host header in server-side code. Carefully check whether each URL needs to be absolute. Often, you may find that a relative URL can be used instead. More information on how to prevent such attacks can be found at this link.