Overview :
An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack.
Affected Product(s) :
  • Embedthis GoAhead 2.5.0
Vulnerability Details :
CVE ID : CVE-2019-16645
A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.

Solution : update/upgrade to the latest versions listed in the site.