Common Weakness Enumeration

CWE-601

Allowed

URL Redirection to Untrusted Site ('Open Redirect')

Abstraction: Base · Status: Draft

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

2304 vulnerabilities reference this CWE, most recent first.

GHSA-4MVF-QM8G-C6MP

Vulnerability from github – Published: 2023-03-09 21:30 – Updated: 2023-03-15 18:30
VLAI
Details

An issue has been discovered in GitLab DAST analyzer affecting all versions starting from 1.47 before 3.0.51, which sends custom request headers in redirects.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab DAST analyzer affecting all versions starting from 1.47 before 3.0.51, which sends custom request headers in redirects.",
  "id": "GHSA-4mvf-qm8g-c6mp",
  "modified": "2023-03-15T18:30:28Z",
  "published": "2023-03-09T21:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4317"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1767533"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4317.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/384997"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4MWH-2XX5-5VP9

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2026-04-08 21:32
VLAI
Details

The WP Compress – Image Optimizer [All-In-One plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 6.20.01. This is due to insufficient validation on the redirect url supplied via the 'css' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6812"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T16:15:51Z",
    "severity": "MODERATE"
  },
  "details": "The WP Compress \u2013 Image Optimizer [All-In-One plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 6.20.01. This is due to insufficient validation on the redirect url supplied via the \u0027css\u0027 parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.",
  "id": "GHSA-4mwh-2xx5-5vp9",
  "modified": "2026-04-08T21:32:36Z",
  "published": "2024-05-14T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6812"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3082085/wp-compress-image-optimizer/trunk/fixCss.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbbf9fbb-74fd-42eb-a781-2a720fe56b13?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4PC9-X2FX-P7VJ

Vulnerability from github – Published: 2025-05-01 17:00 – Updated: 2025-07-28 20:26
VLAI
Summary
@cloudflare/workers-oauth-provider missing validation of redirect_uri on authorize endpoint
Details

Summary

The OAuth implementation failed to check that redirect_uri was among the allowed set for the client_id.

Impact

Under certain circumstances (see below), if a victim had previously authorized with a server built on workers-oath-provider, and an attacker could later trick the victim into visiting a malicious web site, then attacker could potentially steal the victim's credentials to the same OAuth server and subsequently impersonate them.

In order for the attack to be possible, the OAuth server's authorized callback must be designed to auto-approve authorizations that appear to come from an OAuth client that the victim has authorized previously. The authorization flow is not implemented by workers-oauth-provider; it is up to the application built on top to decide whether to implement such automatic re-authorization. However, many applications do implement such logic.

Patches

Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/26

We patched up the vulnerabilities in the latest version, v 0.0.5 of the Workers OAuth provider (https://www.npmjs.com/package/@cloudflare/workers-oauth-provider). You'll need to update your MCP servers to use that version to resolve the vulnerability.

Workarounds

None

Note

It is a basic, well-known requirement that OAuth servers should verify that the redirect URI is among the allowed list for the client, both during the authorization flow and subsequently when exchanging the authorization code for an access token. workers-oauth-provider implemented only the latter check, not the former. Unfortunately, the former is the much more important check.

Readers who are familiar with OAuth may recognize that failing to check redirect URIs against the allowed list is a well-known, basic mistake, covered extensively in the RFC and elsewhere. The author of this library would like everyone to know that he was, in fact, well-aware of this requirement, thought about it a lot while designing the library, and then, somehow, forgot to actually make sure the check was in the code. That is, it's not that he didn't know what he was doing, it's that he knew what he was doing but flubbed it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@cloudflare/workers-oauth-provider"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-4143"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-01T17:00:29Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe OAuth implementation failed to check that redirect_uri was among the allowed set for the client_id.\n\n### Impact\nUnder certain circumstances (see below), if a victim had previously authorized with a server built on workers-oath-provider, and an attacker could later trick the victim into visiting a malicious web site, then attacker could potentially steal the victim\u0027s credentials to the same OAuth server and subsequently impersonate them.\n\nIn order for the attack to be possible, the OAuth server\u0027s authorized callback must be designed to auto-approve authorizations that appear to come from an OAuth client that the victim has authorized previously. The authorization flow is not implemented by workers-oauth-provider; it is up to the application built on top to decide whether to implement such automatic re-authorization. However, many applications do implement such logic.\n\n\n### Patches\nFixed in: https://github.com/cloudflare/workers-oauth-provider/pull/26\n\nWe patched up the vulnerabilities in the latest version, v 0.0.5 of the Workers OAuth provider (https://www.npmjs.com/package/@cloudflare/workers-oauth-provider). You\u0027ll need to update your MCP servers to use that version to resolve the vulnerability.\n\n\n### Workarounds\nNone\n\n### Note\n\nIt is a basic, well-known requirement that OAuth servers should verify that the redirect URI is among the allowed list for the client, both during the authorization flow and subsequently when exchanging the authorization code for an access token. workers-oauth-provider implemented only the latter check, not the former. Unfortunately, the former is the much more important check.\n\nReaders who are familiar with OAuth may recognize that failing to check redirect URIs against the allowed list is a well-known, basic mistake, covered extensively in the RFC and elsewhere. The author of this library would like everyone to know that he was, in fact, well-aware of this requirement, thought about it a lot while designing the library, and then, somehow, forgot to actually make sure the check was in the code. That is, it\u0027s not that he didn\u0027t know what he was doing, it\u0027s that he knew what he was doing but flubbed it.",
  "id": "GHSA-4pc9-x2fx-p7vj",
  "modified": "2025-07-28T20:26:33Z",
  "published": "2025-05-01T17:00:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-oauth-provider/security/advisories/GHSA-4pc9-x2fx-p7vj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4143"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudflare/workers-oauth-provider/pull/26"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cloudflare/workers-oauth-provider"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@cloudflare/workers-oauth-provider missing validation of redirect_uri on authorize endpoint"
}

GHSA-4PM8-5W34-Q28W

Vulnerability from github – Published: 2025-05-07 15:31 – Updated: 2026-04-01 18:35
VLAI
Details

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in formsintegrations Integrations of Zoho CRM with Elementor form allows Phishing. This issue affects Integrations of Zoho CRM with Elementor form: from n/a through 1.0.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47644"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-07T15:16:17Z",
    "severity": "MODERATE"
  },
  "details": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in formsintegrations Integrations of Zoho CRM with Elementor form allows Phishing. This issue affects Integrations of Zoho CRM with Elementor form: from n/a through 1.0.7.",
  "id": "GHSA-4pm8-5w34-q28w",
  "modified": "2026-04-01T18:35:04Z",
  "published": "2025-05-07T15:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47644"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/integrations-of-zoho-crm-with-elementor-form/vulnerability/wordpress-integrations-of-zoho-crm-with-elementor-form-1-0-7-open-redirection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4QXF-CFRR-VXJG

Vulnerability from github – Published: 2024-02-15 06:31 – Updated: 2024-11-02 00:36
VLAI
Details

URL spoofing vulnerability exists in a-blog cms Ver.3.1.0 to Ver.3.1.8. If an attacker sends a specially crafted request, the administrator of the product may be forced to access an arbitrary website when clicking a link in the audit log.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25559"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-15T05:15:10Z",
    "severity": "MODERATE"
  },
  "details": "URL spoofing vulnerability exists in a-blog cms Ver.3.1.0 to Ver.3.1.8. If an attacker sends a specially crafted request, the administrator of the product may be forced to access an arbitrary website when clicking a link in the audit log.",
  "id": "GHSA-4qxf-cfrr-vxjg",
  "modified": "2024-11-02T00:36:20Z",
  "published": "2024-02-15T06:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25559"
    },
    {
      "type": "WEB",
      "url": "https://developer.a-blogcms.jp/blog/news/JVN-48966481.html"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN48966481"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4R8Q-GV9J-3XX6

Vulnerability from github – Published: 2022-03-18 17:55 – Updated: 2022-03-18 17:55
VLAI
Summary
Open Redirect
Details

Impact

In some situations, it is possible to have open redirects where users can be redirected from your site to any other site using a specially crafted URL. This is only the case for installations where the default Hostname Identification is used and the environment uses tenants that have force_https set to true (default: false)

Patches

Version 5.7.2 contains the relevant patches to fix this bug. Stripping the URL from special characters to prevent specially crafted URL's from being redirected to.

Workarounds

There is a simple way to work around the security issue - Set the force_https to every tenant to false

References

https://nvd.nist.gov/vuln/detail/CVE-2018-11784

For more information

If you have any questions or comments about this advisory: * Contact us in Discord: https://tenancy.dev/chat

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "hyn/multi-tenant"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.6.0"
            },
            {
              "fixed": "5.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-27T20:40:11Z",
    "nvd_published_at": "2021-05-27T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIn some situations, it is possible to have open redirects where users can be redirected from your site to any other site using a specially crafted URL.\nThis is only the case for installations where the default Hostname Identification is used and the environment uses tenants that have `force_https` set to `true` (default: `false`)\n\n### Patches\nVersion 5.7.2 contains the relevant patches to fix this bug. Stripping the URL from special characters to prevent specially crafted URL\u0027s from being redirected to.\n\n### Workarounds\nThere is a simple way to work around the security issue\n- Set the `force_https` to every tenant to `false`\n\n### References\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-11784\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact us in Discord: https://tenancy.dev/chat\n",
  "id": "GHSA-4r8q-gv9j-3xx6",
  "modified": "2022-03-18T17:55:07Z",
  "published": "2022-03-18T17:55:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tenancy/multi-tenant/security/advisories/GHSA-4r8q-gv9j-3xx6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32645"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tenancy/multi-tenant/commit/9c837a21bccce9bcaeb90033ef200d84f0d9e164"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/hyn/multi-tenant"
    },
    {
      "type": "WEB",
      "url": "https://webmasters.googleblog.com/2009/01/open-redirect-urls-is-your-site-being.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Open Redirect"
}

GHSA-4R8W-73JC-3M7Q

Vulnerability from github – Published: 2026-06-10 00:31 – Updated: 2026-06-10 00:31
VLAI
Details

Spring Security Authorization Server's authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri, which can lead to an Open Redirect vulnerability.

Affected versions: Spring Security 7.0.0 through 7.0.5. Spring Authorization Server 1.5.0 through 1.5.7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-41008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-10T00:16:50Z",
    "severity": "MODERATE"
  },
  "details": "Spring Security Authorization Server\u0027s authorization endpoint performs insufficient validation of the request_uri parameter. An attacker can craft a malicious authorization request containing an invalid request_uri and an arbitrary, unvalidated redirect_uri, which can lead to an Open Redirect vulnerability.\n\nAffected versions:\nSpring Security 7.0.0 through 7.0.5.\nSpring Authorization Server 1.5.0 through 1.5.7.",
  "id": "GHSA-4r8w-73jc-3m7q",
  "modified": "2026-06-10T00:31:51Z",
  "published": "2026-06-10T00:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41008"
    },
    {
      "type": "WEB",
      "url": "https://spring.io/security/cve-2026-41008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RG6-FM25-GC34

Vulnerability from github – Published: 2022-08-30 00:00 – Updated: 2022-09-16 19:36
VLAI
Summary
oauth2-server through 3.1.1 vulnerable to Open Redirect
Details

In oauth2-server (aka node-oauth2-server) through 3.1.1, the value of the redirect_uri parameter received during the authorization and token request is checked against an incorrect URI pattern ([a-zA-Z][a-zA-Z0-9+.-]+:) before making a redirection. This allows a malicious client to pass an XSS payload through the redirect_uri parameter while making an authorization request. NOTE: this vulnerability is similar to CVE-2020-7741.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "oauth2-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26938"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T19:36:13Z",
    "nvd_published_at": "2022-08-29T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "In oauth2-server (aka node-oauth2-server) through 3.1.1, the value of the `redirect_uri` parameter received during the authorization and token request is checked against an incorrect URI pattern (`[a-zA-Z][a-zA-Z0-9+.-]+:`) before making a redirection. This allows a malicious client to pass an XSS payload through the redirect_uri parameter while making an authorization request. NOTE: this vulnerability is similar to CVE-2020-7741.",
  "id": "GHSA-4rg6-fm25-gc34",
  "modified": "2022-09-16T19:36:13Z",
  "published": "2022-08-30T00:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26938"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oauthjs/node-oauth2-server/issues/637"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/oauthjs/node-oauth2-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oauthjs/node-oauth2-server/blob/91d2cbe70a0eddc53d72def96864e2de0fd41703/lib/grant-types/authorization-code-grant-type.js#L143"
    },
    {
      "type": "WEB",
      "url": "https://github.com/oauthjs/node-oauth2-server/blob/91d2cbe70a0eddc53d72def96864e2de0fd41703/lib/validator/is.js#L12"
    },
    {
      "type": "WEB",
      "url": "https://tools.ietf.org/html/rfc3986#section-3"
    },
    {
      "type": "WEB",
      "url": "https://tools.ietf.org/html/rfc6749#section-3.1.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "oauth2-server through 3.1.1 vulnerable to Open Redirect"
}

GHSA-4RMJ-VF7W-XHFP

Vulnerability from github – Published: 2022-05-24 17:22 – Updated: 2022-05-24 17:22
VLAI
Details

Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate internal services via an Information Disclosure vulnerability. The vulnerability is only exploitable if WebSudo is disabled in Jira. The affected versions are before version 8.4.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-20417"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-02T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Affected versions of Atlassian Jira Server and Data Center allow remote attackers to enumerate internal services via an Information Disclosure vulnerability. The vulnerability is only exploitable if WebSudo is disabled in Jira. The affected versions are before version 8.4.2.",
  "id": "GHSA-4rmj-vf7w-xhfp",
  "modified": "2022-05-24T17:22:17Z",
  "published": "2022-05-24T17:22:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20417"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/JRASERVER-70408?"
    },
    {
      "type": "WEB",
      "url": "https://jira.atlassian.com/browse/JRASERVER-70886"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4RQQ-RXVC-V2RC

Vulnerability from github – Published: 2022-03-25 00:00 – Updated: 2024-04-24 20:58
VLAI
Summary
Gitea Open Redirect
Details

Open Redirect on login in GitHub repository go-gitea/gitea prior to 1.16.5.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "code.gitea.io/gitea"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.16.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-1058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-24T20:58:20Z",
    "nvd_published_at": "2022-03-24T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Open Redirect on login in GitHub repository go-gitea/gitea prior to 1.16.5.",
  "id": "GHSA-4rqq-rxvc-v2rc",
  "modified": "2024-04-24T20:58:20Z",
  "published": "2022-03-25T00:00:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1058"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-gitea/gitea/pull/19175"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-gitea/gitea/pull/19186"
    },
    {
      "type": "WEB",
      "url": "https://github.com/go-gitea/gitea/commit/e3d8e92bdc67562783de9a76b5b7842b68daeb48"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/go-gitea/gitea"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gitea Open Redirect"
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • Use a list of approved URLs or domains to be used for redirection.
Mitigation
Architecture and Design

Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.

Mitigation MIT-21.2
Architecture and Design

Strategy: Enforcement by Conversion

  • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
  • For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Architecture and Design

Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).

Mitigation MIT-6
Architecture and Design Implementation

Strategy: Attack Surface Reduction

  • Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
  • Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-178: Cross-Site Flashing

An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.