Common Weakness Enumeration

CWE-601

Allowed

URL Redirection to Untrusted Site ('Open Redirect')

Abstraction: Base · Status: Draft

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

2310 vulnerabilities reference this CWE, most recent first.

GHSA-FHVP-VH23-MCP7

Vulnerability from github – Published: 2023-03-22 18:30 – Updated: 2023-03-22 18:30
VLAI
Details

Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. A low-privilege authenticated attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-22T17:15:00Z",
    "severity": "LOW"
  },
  "details": "Experience Manager versions 6.5.15.0 (and earlier) are affected by a URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability. A low-privilege authenticated attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction.",
  "id": "GHSA-fhvp-vh23-mcp7",
  "modified": "2023-03-22T18:30:39Z",
  "published": "2023-03-22T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22262"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/experience-manager/apsb23-18.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FHW5-VP5P-7WXX

Vulnerability from github – Published: 2025-03-27 12:30 – Updated: 2026-04-28 21:35
VLAI
Details

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in WPFactory Scheduled & Automatic Order Status Controller for WooCommerce allows Phishing. This issue affects Scheduled & Automatic Order Status Controller for WooCommerce: from n/a through 3.7.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-27T11:15:39Z",
    "severity": "MODERATE"
  },
  "details": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in WPFactory Scheduled \u0026amp; Automatic Order Status Controller for WooCommerce allows Phishing. This issue affects Scheduled \u0026amp; Automatic Order Status Controller for WooCommerce: from n/a through 3.7.1.",
  "id": "GHSA-fhw5-vp5p-7wxx",
  "modified": "2026-04-28T21:35:32Z",
  "published": "2025-03-27T12:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30781"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/order-status-rules-for-woocommerce/vulnerability/wordpress-scheduled-automatic-order-status-controller-for-woocommerce-3-7-1-open-redirection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJ5W-23F4-PVW6

Vulnerability from github – Published: 2026-02-10 06:30 – Updated: 2026-02-10 06:30
VLAI
Details

The SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker with high privileges to insert malicious URL within the application. Upon successful exploitation, the victim may click on this malicious URL, resulting in an unvalidated redirect to the attacker-controlled domain and subsequently download the malicious content. This vulnerability has a high impact on the confidentiality and integrity of the application, with no effect on the availability of the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0508"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T04:16:02Z",
    "severity": "HIGH"
  },
  "details": "The SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker with high privileges to insert malicious URL within the application. Upon successful exploitation, the victim may click on this malicious URL, resulting in an unvalidated redirect to the attacker-controlled domain and subsequently download the malicious content. This vulnerability has a high impact on the confidentiality and integrity of the application, with no effect on the availability of the application.",
  "id": "GHSA-fj5w-23f4-pvw6",
  "modified": "2026-02-10T06:30:38Z",
  "published": "2026-02-10T06:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0508"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3674246"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJ75-5M97-W3PM

Vulnerability from github – Published: 2022-05-14 03:49 – Updated: 2022-05-14 03:49
VLAI
Details

Wordpress plugin Furikake version 0.1.0 is vulnerable to an Open Redirect The furikake-redirect parameter on a page allows for a redirect to an attacker controlled page classes/Furigana.php: header('location:'.urldecode($_GET['furikake-redirect']));

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000434"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-02T23:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Wordpress plugin Furikake version 0.1.0 is vulnerable to an Open Redirect The furikake-redirect parameter on a page allows for a redirect to an attacker controlled page classes/Furigana.php: header(\u0027location:\u0027.urldecode($_GET[\u0027furikake-redirect\u0027]));",
  "id": "GHSA-fj75-5m97-w3pm",
  "modified": "2022-05-14T03:49:37Z",
  "published": "2022-05-14T03:49:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000434"
    },
    {
      "type": "WEB",
      "url": "https://cjc.im/advisories/0008"
    },
    {
      "type": "WEB",
      "url": "https://wpvulndb.com/vulnerabilities/8992"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJFW-648M-HM95

Vulnerability from github – Published: 2023-12-04 15:31 – Updated: 2023-12-07 21:31
VLAI
Details

kkFileView v4.3.0 is vulnerable to Incorrect Access Control.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-48815"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-04T15:15:07Z",
    "severity": "MODERATE"
  },
  "details": "kkFileView v4.3.0 is vulnerable to Incorrect Access Control.",
  "id": "GHSA-fjfw-648m-hm95",
  "modified": "2023-12-07T21:31:10Z",
  "published": "2023-12-04T15:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48815"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kekingcn/kkFileView"
    },
    {
      "type": "WEB",
      "url": "https://github.com/varzhang/There-is-a-vulnerability-in-kkFileView/blob/main/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJRM-89CV-J79Q

Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-17 21:30
VLAI
Details

Prior to commit 51867e0d15a6d7f80d5b714fd0e9976b9c160bb0, https://github.com/brave/adblock-lists removed redirect interceptors on some websites like Facebook in which the redirect interceptor may have been there for security purposes. This could potentially cause open redirects on these websites. Brave's redirect interceptor removal feature is known as "debouncing" and is intended to remove unnecessary redirects that track users across the web.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Prior to commit 51867e0d15a6d7f80d5b714fd0e9976b9c160bb0, https://github.com/brave/adblock-lists removed redirect interceptors on some websites like Facebook in which the redirect interceptor may have been there for security purposes. This could potentially cause open redirects on these websites. Brave\u0027s redirect interceptor removal feature is known as \"debouncing\" and is intended to remove unnecessary redirects that track users across the web.",
  "id": "GHSA-fjrm-89cv-j79q",
  "modified": "2023-02-17T21:30:41Z",
  "published": "2023-02-09T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22798"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1579374"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FM3J-3RRX-FRH2

Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:09
VLAI
Details

Read the Docs before 3.5.1 has an Open Redirect if certain user-defined redirects are used. This affects private instances of Read the Docs (in addition to the public readthedocs.org web sites).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-02T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Read the Docs before 3.5.1 has an Open Redirect if certain user-defined redirects are used. This affects private instances of Read the Docs (in addition to the public readthedocs.org web sites).",
  "id": "GHSA-fm3j-3rrx-frh2",
  "modified": "2024-04-04T01:09:03Z",
  "published": "2022-05-24T16:49:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/readthedocs/readthedocs.org/security/advisories/GHSA-2mw9-4c46-qrcv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13175"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FP4X-GGRF-WMC6

Vulnerability from github – Published: 2026-03-23 21:48 – Updated: 2026-03-23 21:48
VLAI
Summary
H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation
Details

Summary

The redirectBack() utility in h3 validates that the Referer header shares the same origin as the request before using its pathname as the redirect Location. However, the pathname is not sanitized for protocol-relative paths (starting with //). An attacker can craft a same-origin URL with a double-slash path segment that passes the origin check but produces a Location header interpreted by browsers as a protocol-relative redirect to an external domain.

Details

The vulnerable code is in src/utils/response.ts:89-97:

export function redirectBack(
  event: H3Event,
  opts: { fallback?: string; status?: number; allowQuery?: boolean } = {},
): HTTPResponse {
  const referer = event.req.headers.get("referer");
  let location = opts.fallback ?? "/";
  if (referer && URL.canParse(referer)) {
    const refererURL = new URL(referer);
    if (refererURL.origin === event.url.origin) {
      // BUG: pathname can be "//evil.com/path" which browsers interpret
      // as a protocol-relative URL
      location = refererURL.pathname + (opts.allowQuery ? refererURL.search : "");
    }
  }
  return redirect(location, opts.status);
}

The root cause is a discrepancy between how the WHATWG URL parser and browsers handle double-slash paths:

  1. new URL("http://target.com//evil.com/path").origin"http://target.com" — origin check passes
  2. new URL("http://target.com//evil.com/path").pathname"//evil.com/path" — extracted as redirect location
  3. Browser receives Location: //evil.com/path → interprets as protocol-relative URL → redirects to evil.com

Attack scenario: The attacker shares a link like http://target.com//evil.com/page. If the target application has catch-all routes (common in SPAs built with h3/Nitro), the app serves its page at that URL. When the user navigates to an endpoint calling redirectBack(), the browser sends Referer: http://target.com//evil.com/page. The origin check passes, and the user is redirected to evil.com, which can host a phishing page mimicking the target.

PoC

# 1. Create a minimal h3 app with redirectBack
cat > /tmp/h3-redirect-poc.ts << 'SCRIPT'
import { H3, redirectBack } from "h3";

const app = new H3();
app.post("/submit", (event) => redirectBack(event));

const res = await app.fetch(new Request("http://localhost/submit", {
  method: "POST",
  headers: { referer: "http://localhost//evil.com/steal" }
}));

console.log("Status:", res.status);
console.log("Location:", res.headers.get("location"));
// Expected: a same-origin path
// Actual: "//evil.com/steal" — protocol-relative redirect to evil.com
SCRIPT

# 2. Verify URL parsing behavior
node -e "
const u = new URL('http://localhost//evil.com/steal');
console.log('origin:', u.origin);         // http://localhost
console.log('pathname:', u.pathname);     // //evil.com/steal
console.log('origin matches localhost:', u.origin === 'http://localhost');  // true
"
# Output:
# origin: http://localhost
# pathname: //evil.com/steal
# origin matches localhost: true

Impact

An attacker can redirect users from a trusted application to an attacker-controlled domain. This enables:

  • Credential phishing: Redirect to a lookalike login page to harvest credentials
  • OAuth token theft: In OAuth flows using redirectBack(), steal authorization codes by redirecting to an attacker's callback
  • Trust exploitation: Users see the initial link points to the trusted domain, lowering suspicion

The vulnerability requires no authentication and affects any endpoint using redirectBack().

Recommended Fix

Sanitize the extracted pathname to prevent protocol-relative URLs. In src/utils/response.ts, after extracting the pathname from the referer:

export function redirectBack(
  event: H3Event,
  opts: { fallback?: string; status?: number; allowQuery?: boolean } = {},
): HTTPResponse {
  const referer = event.req.headers.get("referer");
  let location = opts.fallback ?? "/";
  if (referer && URL.canParse(referer)) {
    const refererURL = new URL(referer);
    if (refererURL.origin === event.url.origin) {
      let pathname = refererURL.pathname;
      // Prevent protocol-relative open redirect (e.g., "//evil.com")
      if (pathname.startsWith("//")) {
        pathname = "/" + pathname.replace(/^\/+/, "");
      }
      location = pathname + (opts.allowQuery ? refererURL.search : "");
    }
  }
  return redirect(location, opts.status);
}
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "h3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.1-rc.17"
            },
            {
              "fixed": "2.0.1-rc.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.0.1-rc.17"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-23T21:48:24Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `redirectBack()` utility in h3 validates that the `Referer` header shares the same origin as the request before using its pathname as the redirect `Location`. However, the pathname is not sanitized for protocol-relative paths (starting with `//`). An attacker can craft a same-origin URL with a double-slash path segment that passes the origin check but produces a `Location` header interpreted by browsers as a protocol-relative redirect to an external domain.\n\n## Details\n\nThe vulnerable code is in `src/utils/response.ts:89-97`:\n\n```typescript\nexport function redirectBack(\n  event: H3Event,\n  opts: { fallback?: string; status?: number; allowQuery?: boolean } = {},\n): HTTPResponse {\n  const referer = event.req.headers.get(\"referer\");\n  let location = opts.fallback ?? \"/\";\n  if (referer \u0026\u0026 URL.canParse(referer)) {\n    const refererURL = new URL(referer);\n    if (refererURL.origin === event.url.origin) {\n      // BUG: pathname can be \"//evil.com/path\" which browsers interpret\n      // as a protocol-relative URL\n      location = refererURL.pathname + (opts.allowQuery ? refererURL.search : \"\");\n    }\n  }\n  return redirect(location, opts.status);\n}\n```\n\nThe root cause is a discrepancy between how the WHATWG URL parser and browsers handle double-slash paths:\n\n1. `new URL(\"http://target.com//evil.com/path\").origin` \u2192 `\"http://target.com\"` \u2014 origin check **passes**\n2. `new URL(\"http://target.com//evil.com/path\").pathname` \u2192 `\"//evil.com/path\"` \u2014 extracted as redirect location\n3. Browser receives `Location: //evil.com/path` \u2192 interprets as protocol-relative URL \u2192 **redirects to `evil.com`**\n\n**Attack scenario:** The attacker shares a link like `http://target.com//evil.com/page`. If the target application has catch-all routes (common in SPAs built with h3/Nitro), the app serves its page at that URL. When the user navigates to an endpoint calling `redirectBack()`, the browser sends `Referer: http://target.com//evil.com/page`. The origin check passes, and the user is redirected to `evil.com`, which can host a phishing page mimicking the target.\n\n## PoC\n\n```bash\n# 1. Create a minimal h3 app with redirectBack\ncat \u003e /tmp/h3-redirect-poc.ts \u003c\u003c \u0027SCRIPT\u0027\nimport { H3, redirectBack } from \"h3\";\n\nconst app = new H3();\napp.post(\"/submit\", (event) =\u003e redirectBack(event));\n\nconst res = await app.fetch(new Request(\"http://localhost/submit\", {\n  method: \"POST\",\n  headers: { referer: \"http://localhost//evil.com/steal\" }\n}));\n\nconsole.log(\"Status:\", res.status);\nconsole.log(\"Location:\", res.headers.get(\"location\"));\n// Expected: a same-origin path\n// Actual: \"//evil.com/steal\" \u2014 protocol-relative redirect to evil.com\nSCRIPT\n\n# 2. Verify URL parsing behavior\nnode -e \"\nconst u = new URL(\u0027http://localhost//evil.com/steal\u0027);\nconsole.log(\u0027origin:\u0027, u.origin);         // http://localhost\nconsole.log(\u0027pathname:\u0027, u.pathname);     // //evil.com/steal\nconsole.log(\u0027origin matches localhost:\u0027, u.origin === \u0027http://localhost\u0027);  // true\n\"\n# Output:\n# origin: http://localhost\n# pathname: //evil.com/steal\n# origin matches localhost: true\n```\n\n## Impact\n\nAn attacker can redirect users from a trusted application to an attacker-controlled domain. This enables:\n\n- **Credential phishing**: Redirect to a lookalike login page to harvest credentials\n- **OAuth token theft**: In OAuth flows using `redirectBack()`, steal authorization codes by redirecting to an attacker\u0027s callback\n- **Trust exploitation**: Users see the initial link points to the trusted domain, lowering suspicion\n\nThe vulnerability requires no authentication and affects any endpoint using `redirectBack()`.\n\n## Recommended Fix\n\nSanitize the extracted pathname to prevent protocol-relative URLs. In `src/utils/response.ts`, after extracting the pathname from the referer:\n\n```typescript\nexport function redirectBack(\n  event: H3Event,\n  opts: { fallback?: string; status?: number; allowQuery?: boolean } = {},\n): HTTPResponse {\n  const referer = event.req.headers.get(\"referer\");\n  let location = opts.fallback ?? \"/\";\n  if (referer \u0026\u0026 URL.canParse(referer)) {\n    const refererURL = new URL(referer);\n    if (refererURL.origin === event.url.origin) {\n      let pathname = refererURL.pathname;\n      // Prevent protocol-relative open redirect (e.g., \"//evil.com\")\n      if (pathname.startsWith(\"//\")) {\n        pathname = \"/\" + pathname.replace(/^\\/+/, \"\");\n      }\n      location = pathname + (opts.allowQuery ? refererURL.search : \"\");\n    }\n  }\n  return redirect(location, opts.status);\n}\n```",
  "id": "GHSA-fp4x-ggrf-wmc6",
  "modified": "2026-03-23T21:48:24Z",
  "published": "2026-03-23T21:48:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/h3js/h3/security/advisories/GHSA-fp4x-ggrf-wmc6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/h3js/h3/commit/459a1c6593365b0810e9c502df7c3e82837321d7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/h3js/h3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation"
}

GHSA-FP5R-V55Q-WGX7

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45
VLAI
Details

The appstore before 8.12.0.0 exposes some of its components, and the attacker can cause remote download and install apps through carefully constructed parameters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-23T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The appstore before 8.12.0.0 exposes some of its components, and the attacker can cause remote download and install apps through carefully constructed parameters.",
  "id": "GHSA-fp5r-v55q-wgx7",
  "modified": "2022-05-24T17:45:04Z",
  "published": "2022-05-24T17:45:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12483"
    },
    {
      "type": "WEB",
      "url": "https://www.vivo.com/en/support/security-advisory-detail?id=1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FPGV-9V95-HRGV

Vulnerability from github – Published: 2021-12-09 00:01 – Updated: 2021-12-10 00:01
VLAI
Details

A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlers

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36191"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-08T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A url redirection to untrusted site (\u0027open redirect\u0027) in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlers",
  "id": "GHSA-fpgv-9v95-hrgv",
  "modified": "2021-12-10T00:01:02Z",
  "published": "2021-12-09T00:01:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36191"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-21-133"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • Use a list of approved URLs or domains to be used for redirection.
Mitigation
Architecture and Design

Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.

Mitigation MIT-21.2
Architecture and Design

Strategy: Enforcement by Conversion

  • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
  • For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Architecture and Design

Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).

Mitigation MIT-6
Architecture and Design Implementation

Strategy: Attack Surface Reduction

  • Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
  • Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-178: Cross-Site Flashing

An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.