A host header injection vulnerability exists from the forgot password operation of ArrowCMS Model 1.0.0. By sending a specially crafted host header while in the forgot password request, it is achievable to mail password https://www.ralantech.com/mysql-database-health-check-consulting-service/