CWE-601
AllowedURL Redirection to Untrusted Site ('Open Redirect')
Abstraction: Base · Status: Draft
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
2310 vulnerabilities reference this CWE, most recent first.
GHSA-G7J8-X6G6-F5VJ
Vulnerability from github – Published: 2023-09-09 00:30 – Updated: 2024-04-04 07:34SAP S/4HANA Manage Catalog Items and Cross-Catalog searches Fiori apps allow an attacker to redirect users to a malicious site due to insufficient URL validation. As a result, it may have a slight impact on confidentiality and integrity.
{
"affected": [],
"aliases": [
"CVE-2023-40306"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-08T22:15:11Z",
"severity": "MODERATE"
},
"details": "SAP S/4HANA Manage Catalog Items and Cross-Catalog searches Fiori apps allow an attacker to redirect users to a malicious site due to insufficient URL validation. As a result, it may have a slight impact on confidentiality and integrity.",
"id": "GHSA-g7j8-x6g6-f5vj",
"modified": "2024-04-04T07:34:28Z",
"published": "2023-09-09T00:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40306"
},
{
"type": "WEB",
"url": "https://https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3156972"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G7R3-JG9W-238C
Vulnerability from github – Published: 2024-01-24 12:30 – Updated: 2024-01-24 12:30URL redirection to untrusted site ('Open Redirect') vulnerability in file access component in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 allows remote authenticated users to conduct phishing attacks via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2024-0854"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-24T10:15:09Z",
"severity": "MODERATE"
},
"details": "URL redirection to untrusted site (\u0027Open Redirect\u0027) vulnerability in file access component in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 allows remote authenticated users to conduct phishing attacks via unspecified vectors.",
"id": "GHSA-g7r3-jg9w-238c",
"modified": "2024-01-24T12:30:17Z",
"published": "2024-01-24T12:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0854"
},
{
"type": "WEB",
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G7WC-FGQC-J967
Vulnerability from github – Published: 2025-12-30 18:30 – Updated: 2025-12-30 18:30A weakness has been identified in Edimax BR-6208AC 1.02/1.03. Affected by this issue is the function formALGSetup of the file /goform/formALGSetup of the component Web-based Configuration Interface. This manipulation of the argument wlan-url causes open redirect. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [],
"aliases": [
"CVE-2025-15258"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-30T18:15:45Z",
"severity": "MODERATE"
},
"details": "A weakness has been identified in Edimax BR-6208AC 1.02/1.03. Affected by this issue is the function formALGSetup of the file /goform/formALGSetup of the component Web-based Configuration Interface. This manipulation of the argument wlan-url causes open redirect. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. Edimax confirms this issue: \"The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security.\" This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-g7wc-fgqc-j967",
"modified": "2025-12-30T18:30:20Z",
"published": "2025-12-30T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15258"
},
{
"type": "WEB",
"url": "https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Open-Redirect-Vulnerability-in-Web-formALGSetup-handler-2d3b5c52018a80188e9ae30d3cc8c3d1?source=copy_link"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.338648"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.338648"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.722446"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G839-X3P3-G5FM
Vulnerability from github – Published: 2025-03-03 19:53 – Updated: 2025-03-03 19:53Summary
CodeChecker versions up to 6.24.5 contain an open redirect vulnerability due to missing protections against multiple slashes after the product name in the URL's path segment. This results in bypassing protections against CVE-2021-28861, leading to the same open redirect pathway.
Details
CodeChecker processes GET requests by first rewriting the path segment of the URL, and then passing the rewritten URL to the webserver framework.
When trimming the product name from the URL, no sanitization was performed on the remaining URL, which reintroduced the same issue as CVE-2021-28861, leading to the same open redirect pathway using URLs such as /Default//attacker.com/%2f...
Impact
The vulnerability allows an attacker to create a hyperlink that looks like a legitimate CodeChecker URL, but redirects to an attacker-supplied website when clicked.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.24.5"
},
"package": {
"ecosystem": "PyPI",
"name": "codechecker"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.24.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-1300"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-03T19:53:16Z",
"nvd_published_at": "2025-02-28T13:15:27Z",
"severity": "MODERATE"
},
"details": "Summary\n---\n\nCodeChecker versions up to 6.24.5 contain an open redirect vulnerability due to missing protections against multiple slashes after the product name in the URL\u0027s path segment. This results in bypassing protections against CVE-2021-28861, leading to the same open redirect pathway.\n\nDetails\n---\n\nCodeChecker processes GET requests by first rewriting the path segment of the URL, and then passing the rewritten URL to the webserver framework.\nWhen trimming the product name from the URL, no sanitization was performed on the remaining URL, which reintroduced the same issue as CVE-2021-28861, leading to the same open redirect pathway using URLs such as `/Default//attacker.com/%2f..`.\n\nImpact\n---\n\nThe vulnerability allows an attacker to create a hyperlink that looks like a legitimate CodeChecker URL, but redirects to an attacker-supplied website when clicked.",
"id": "GHSA-g839-x3p3-g5fm",
"modified": "2025-03-03T19:53:16Z",
"published": "2025-03-03T19:53:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Ericsson/codechecker/security/advisories/GHSA-g839-x3p3-g5fm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1300"
},
{
"type": "PACKAGE",
"url": "https://github.com/Ericsson/codechecker"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "CodeChecker open redirect when URL contains multiple slashes after the product name"
}
GHSA-G867-7563-WVHV
Vulnerability from github – Published: 2025-06-15 15:30 – Updated: 2025-06-15 15:30A vulnerability has been found in Astun Technology iShare Maps 5.4.0 and classified as problematic. This vulnerability affects unknown code of the file atCheckJS.aspx. The manipulation of the argument ref leads to open redirect. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-6089"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-15T13:15:33Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in Astun Technology iShare Maps 5.4.0 and classified as problematic. This vulnerability affects unknown code of the file atCheckJS.aspx. The manipulation of the argument ref leads to open redirect. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-g867-7563-wvhv",
"modified": "2025-06-15T15:30:30Z",
"published": "2025-06-15T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6089"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.312556"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.312556"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.587876"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G897-JVJX-78VG
Vulnerability from github – Published: 2026-01-08 12:30 – Updated: 2026-01-09 21:31When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.
{
"affected": [],
"aliases": [
"CVE-2025-14524"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-08T10:15:46Z",
"severity": "MODERATE"
},
"details": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,\nPOP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new\ntarget host.",
"id": "GHSA-g897-jvjx-78vg",
"modified": "2026-01-09T21:31:34Z",
"published": "2026-01-08T12:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14524"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3459417"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2025-14524.html"
},
{
"type": "WEB",
"url": "https://curl.se/docs/CVE-2025-14524.json"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/01/07/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G898-GRJX-8JM3
Vulnerability from github – Published: 2026-06-23 00:30 – Updated: 2026-06-23 00:30Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect users to attacker-controlled hosts, enabling phishing and OAuth authorization-code theft.
{
"affected": [],
"aliases": [
"CVE-2026-56697"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-22T22:16:52Z",
"severity": "MODERATE"
},
"details": "Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect users to attacker-controlled hosts, enabling phishing and OAuth authorization-code theft.",
"id": "GHSA-g898-grjx-8jm3",
"modified": "2026-06-23T00:30:29Z",
"published": "2026-06-23T00:30:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-c9cv-mq2m-ppp3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56697"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/commit/6497d99dd106254abd089f6a263d7773869a343b"
},
{
"type": "WEB",
"url": "https://github.com/nuxt/nuxt/commit/e447a793c47766834f7497f8412a76cd56fd8ee1"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/nuxt-open-redirect-via-protocol-relative-paths-in-reloadnuxtapp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G8MR-FGFG-5QPC
Vulnerability from github – Published: 2025-10-21 15:09 – Updated: 2026-01-21 16:15Summary:
A bypass was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications.
This vulnerability affects the code referenced in GitHub Advisory GHSA-jgmv-j7ww-jx2x (which is tracked as CVE‑2025‑54420).
Details:
The patched code attempts to treat values that startWith('/') as safe relative paths and only perform origin checks for absolute URLs. However, protocol‑relative URLs (those beginning with //host) also start with '/' and therefore match the startsWith('/') branch. A protocol‑relative referrer such as //evil.com with trailing double-slash is treated by the implementation as a safe relative path, but browsers interpret Location: //evil.com as a redirect to https://evil.com (or http:// based on context).
This discrepancy allows an attacker to supply Referer: //evil.com and trigger an external redirect - bypassing the intended same‑origin protection.
Proof of concept (PoC):
Affected line of code: https://github.com/koajs/koa/blob/master/lib/response.js#L326 The problematic logic looks like:
Request with a protocol‑relative Referer: curl -i -H "Referer: //haymiz.dev" http://127.0.0.1:3000/test
Vulnerable response will contain: HTTP/1.1 302 Found Location: //haymiz.dev
A browser receiving that Location header navigates to https://haymiz.dev (or http:// depending on context), resulting in an open redirect to an attacker‑controlled host:
Recommendation / Patch:
- Do not treat //host as a safe relative path. Explicitly exclude protocol‑relative values from any relative‑path branch.
- Normalize the Referer by resolving it with a base (e.g., new URL(rawRef, ctx.href)), then compare resolved.origin (scheme+host+port) to ctx.origin (or ctx.host plus scheme/port) before allowing the redirect.
Impact:
An attacker who can cause a victim to visit a specially crafted link (or inject a request with a controlled Referer) can cause the victim to be redirected to an attacker‑controlled domain. This can be used for phishing, social engineering, or to bypass some protection rules that rely on same‑origin navigation.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.1"
},
{
"fixed": "3.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "2.16.2"
},
{
"fixed": "2.16.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62595"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-21T15:09:06Z",
"nvd_published_at": "2025-10-21T17:15:40Z",
"severity": "MODERATE"
},
"details": "### Summary:\n\nA bypass was discovered in the `Koa.js` framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user\u2019s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications.\n\nThis vulnerability affects the code referenced in GitHub Advisory GHSA-jgmv-j7ww-jx2x (which is tracked as CVE\u20112025\u201154420). \n\n### Details:\nThe patched code attempts to treat values that `startWith(\u0027/\u0027)` as safe relative paths and only perform origin checks for absolute URLs. However, protocol\u2011relative URLs (those beginning with //host) also start with \u0027/\u0027 and therefore match the startsWith(\u0027/\u0027) branch. A protocol\u2011relative referrer such as `//evil.com` with trailing double-slash is treated by the implementation as a safe relative path, but browsers interpret Location: //evil.com as a redirect to https://evil.com (or http:// based on context).\nThis discrepancy allows an attacker to supply Referer: //evil.com and trigger an external redirect - bypassing the intended same\u2011origin protection.\n\n### Proof of concept (PoC):\nAffected line of code: https://github.com/koajs/koa/blob/master/lib/response.js#L326\nThe problematic logic looks like:\n\n\u003cimg width=\"567\" height=\"509\" alt=\"3\" src=\"https://github.com/user-attachments/assets/33de440a-8945-4e5f-9e0a-2011a3999458\" /\u003e\n\nRequest with a protocol\u2011relative Referer:\ncurl -i -H \"Referer: //haymiz.dev\" http://127.0.0.1:3000/test\n\n\u003cimg width=\"2072\" height=\"1005\" alt=\"1\" src=\"https://github.com/user-attachments/assets/55c48c79-559d-46aa-8b76-c1d2d3536c8b\" /\u003e\n\nVulnerable response will contain:\nHTTP/1.1 302 Found\nLocation: //haymiz.dev\n\nA browser receiving that Location header navigates to https://haymiz.dev (or http:// depending on context), resulting in an open redirect to an attacker\u2011controlled host:\n\n\u003cimg width=\"454\" height=\"239\" alt=\"2\" src=\"https://github.com/user-attachments/assets/852ae81a-9f63-49c1-9ce5-72cd96bcea68\" /\u003e\n\n### Recommendation / Patch:\n* Do not treat //host as a safe relative path. Explicitly exclude protocol\u2011relative values from any relative\u2011path branch.\n* Normalize the Referer by resolving it with a base (e.g., new URL(rawRef, ctx.href)), then compare resolved.origin (scheme+host+port) to ctx.origin (or ctx.host plus scheme/port) before allowing the redirect.\n\n### Impact:\nAn attacker who can cause a victim to visit a specially crafted link (or inject a request with a controlled Referer) can cause the victim to be redirected to an attacker\u2011controlled domain. This can be used for phishing, social engineering, or to bypass some protection rules that rely on same\u2011origin navigation.",
"id": "GHSA-g8mr-fgfg-5qpc",
"modified": "2026-01-21T16:15:45Z",
"published": "2025-10-21T15:09:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/koajs/koa/security/advisories/GHSA-g8mr-fgfg-5qpc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62595"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/commit/769fd75cc6b30d72493b370b5a3ae2332ca03c5b"
},
{
"type": "PACKAGE",
"url": "https://github.com/koajs/koa"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic"
}
GHSA-G8VH-644M-955P
Vulnerability from github – Published: 2022-05-17 00:29 – Updated: 2022-05-17 00:29Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout.
{
"affected": [],
"aliases": [
"CVE-2015-6961"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-18T20:29:00Z",
"severity": "MODERATE"
},
"details": "Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout.",
"id": "GHSA-g8vh-644m-955p",
"modified": "2022-05-17T00:29:22Z",
"published": "2022-05-17T00:29:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6961"
},
{
"type": "WEB",
"url": "https://github.com/web2py/web2py/issues/731"
},
{
"type": "WEB",
"url": "https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G8WR-5FX9-G2GV
Vulnerability from github – Published: 2022-05-14 01:48 – Updated: 2022-05-14 01:48An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The login function of the portal is vulnerable to insecure redirection (also called an open redirect). The in_hi_redirect parameter is not validated by the application after a successful login. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.
{
"affected": [],
"aliases": [
"CVE-2018-16954"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-18T02:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The login function of the portal is vulnerable to insecure redirection (also called an open redirect). The in_hi_redirect parameter is not validated by the application after a successful login. NOTE: this CVE is assigned by MITRE and isn\u0027t validated by Oracle because Oracle WebCenter Interaction Portal is out of support.",
"id": "GHSA-g8wr-5fx9-g2gv",
"modified": "2022-05-14T01:48:52Z",
"published": "2022-05-14T01:48:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16954"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2018/Sep/22"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105350"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- Use a list of approved URLs or domains to be used for redirection.
Mitigation
Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
Mitigation MIT-21.2
Strategy: Enforcement by Conversion
- When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
- For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).
Mitigation MIT-6
Strategy: Attack Surface Reduction
- Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
- Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-178: Cross-Site Flashing
An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.