CERN Indico before 2.3.4 can use an attacker-supplied Host header in a password reset link.

By admin