Common Weakness Enumeration

CWE-601

Allowed

URL Redirection to Untrusted Site ('Open Redirect')

Abstraction: Base · Status: Draft

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

2303 vulnerabilities reference this CWE, most recent first.

CVE-2015-10102 (GCVE-0-2015-10102)

Vulnerability from cvelistv5 – Published: 2023-04-17 18:00 – Updated: 2024-08-06 08:58
VLAI
Title
Freshdesk Plugin redirect
Summary
A vulnerability, which was classified as critical, has been found in Freshdesk Plugin 1.7 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to open redirect. The attack may be launched remotely. Upgrading to version 1.8 is able to address this issue. The patch is identified as 2aaecd4e0c7c6c1dc4e6a593163d5f7aa0fa5d5b. It is recommended to upgrade the affected component. VDB-226118 is the identifier assigned to this vulnerability.
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.226118 vdb-entrytechnical-description
https://vuldb.com/?ctiid.226118 signaturepermissions-required
https://github.com/wp-plugins/freshdesk-support/c… patch
Impacted products
Vendor Product Version
n/a Freshdesk Plugin Affected: 1.7
Credits
VulDB GitHub Commit Analyzer
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T08:58:26.444Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.226118"
          },
          {
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.226118"
          },
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://github.com/wp-plugins/freshdesk-support/commit/2aaecd4e0c7c6c1dc4e6a593163d5f7aa0fa5d5b"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Freshdesk Plugin",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "1.7"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "tool",
          "value": "VulDB GitHub Commit Analyzer"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability, which was classified as critical, has been found in Freshdesk Plugin 1.7 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to open redirect. The attack may be launched remotely. Upgrading to version 1.8 is able to address this issue. The patch is identified as 2aaecd4e0c7c6c1dc4e6a593163d5f7aa0fa5d5b. It is recommended to upgrade the affected component. VDB-226118 is the identifier assigned to this vulnerability."
        },
        {
          "lang": "de",
          "value": "Eine kritische Schwachstelle wurde in Freshdesk Plugin 1.7 f\u00fcr WordPress entdeckt. Betroffen davon ist ein unbekannter Prozess. Mit der Manipulation mit unbekannten Daten kann eine open redirect-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Ein Aktualisieren auf die Version 1.8 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 2aaecd4e0c7c6c1dc4e6a593163d5f7aa0fa5d5b bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601 Open Redirect",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-20T09:23:17.659Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.226118"
        },
        {
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.226118"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/wp-plugins/freshdesk-support/commit/2aaecd4e0c7c6c1dc4e6a593163d5f7aa0fa5d5b"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2015-06-05T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2015-06-05T00:00:00.000Z",
          "value": "Countermeasure disclosed"
        },
        {
          "lang": "en",
          "time": "2023-04-15T00:00:00.000Z",
          "value": "CVE reserved"
        },
        {
          "lang": "en",
          "time": "2023-04-15T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2023-05-05T10:05:28.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Freshdesk Plugin redirect"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2015-10102",
    "datePublished": "2023-04-17T18:00:05.437Z",
    "dateReserved": "2023-04-15T20:46:09.323Z",
    "dateUpdated": "2024-08-06T08:58:26.444Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2015-10052 (GCVE-0-2015-10052)

Vulnerability from cvelistv5 – Published: 2023-01-15 18:58 – Updated: 2024-08-06 08:58 Unsupported When Assigned
VLAI
Title
calesanz gibb-modul-151 login redirect
Summary
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problematic, was found in calesanz gibb-modul-151. This affects the function bearbeiten/login. The manipulation leads to open redirect. It is possible to initiate the attack remotely. The patch is named 88a517dc19443081210c804b655e72770727540d. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218379. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.218379 vdb-entrytechnical-description
https://vuldb.com/?ctiid.218379 signaturepermissions-required
https://github.com/calesanz/gibb-modul-151/commit… patch
Impacted products
Credits
VulDB GitHub Commit Analyzer
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T08:58:26.400Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.218379"
          },
          {
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.218379"
          },
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://github.com/calesanz/gibb-modul-151/commit/88a517dc19443081210c804b655e72770727540d"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gibb-modul-151",
          "vendor": "calesanz",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "tool",
          "value": "VulDB GitHub Commit Analyzer"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problematic, was found in calesanz gibb-modul-151. This affects the function bearbeiten/login. The manipulation leads to open redirect. It is possible to initiate the attack remotely. The patch is named 88a517dc19443081210c804b655e72770727540d. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218379. NOTE: This vulnerability only affects products that are no longer supported by the maintainer."
        },
        {
          "lang": "de",
          "value": "Es wurde eine problematische Schwachstelle in calesanz gibb-modul-151 gefunden. Betroffen hiervon ist die Funktion bearbeiten/login. Durch das Manipulieren mit unbekannten Daten kann eine open redirect-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Patch wird als 88a517dc19443081210c804b655e72770727540d bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5.5,
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601 Open Redirect",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-20T08:22:15.072Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.218379"
        },
        {
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.218379"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/calesanz/gibb-modul-151/commit/88a517dc19443081210c804b655e72770727540d"
        }
      ],
      "tags": [
        "unsupported-when-assigned"
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-01-14T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2023-01-14T00:00:00.000Z",
          "value": "CVE reserved"
        },
        {
          "lang": "en",
          "time": "2023-01-14T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2023-02-07T15:12:15.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "calesanz gibb-modul-151 login redirect"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2015-10052",
    "datePublished": "2023-01-15T18:58:03.486Z",
    "dateReserved": "2023-01-14T17:21:11.511Z",
    "dateUpdated": "2024-08-06T08:58:26.400Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2011-1594 (GCVE-0-2011-1594)

Vulnerability from cvelistv5 – Published: 2014-02-05 18:00 – Updated: 2026-04-02 21:17
VLAI
Title
Spacewalk: spacewalk: open redirect vulnerability enables phishing attacks via url parameter
Summary
A flaw was found in Spacewalk, as used in Red Hat Network Satellite. This open redirect vulnerability allows remote attackers to redirect users to arbitrary web sites by manipulating a URL in the url_bounce parameter. This can enable attackers to conduct phishing attacks, potentially leading to unauthorized information disclosure or credential theft.
CWE
  • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
Impacted products
Vendor Product Version
Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
Create a notification for this product.
Date Public
2014-02-05 18:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T22:28:41.926Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[Spacewalk-announce-list] 20111222 Spacewalk 1.6 has been released",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://www.redhat.com/archives/spacewalk-announce-list/2011-December/msg00000.html"
          },
          {
            "name": "RHSA-2011:1299",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2011-1299.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=672167"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "rhn-client-tools",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "rhnsd",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unknown",
          "packageName": "yum-rhn-plugin",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "rhnsd",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "yum-rhn-plugin",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2014-02-05T18:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Spacewalk, as used in Red Hat Network Satellite. This open redirect vulnerability allows remote attackers to redirect users to arbitrary web sites by manipulating a URL in the url_bounce parameter. This can enable attackers to conduct phishing attacks, potentially leading to unauthorized information disclosure or credential theft."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-02T21:17:14.782Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "http://www.redhat.com/support/errata/RHSA-2011-1299.html"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2011-1594"
        },
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=672167"
        },
        {
          "url": "https://www.redhat.com/archives/spacewalk-announce-list/2011-December/msg00000.html"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-02T15:01:02.325Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2014-02-05T18:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Spacewalk: spacewalk: open redirect vulnerability enables phishing attacks via url parameter",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2011-1594",
    "datePublished": "2014-02-05T18:00:00.000Z",
    "dateReserved": "2011-04-05T00:00:00.000Z",
    "dateUpdated": "2026-04-02T21:17:14.782Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2010-4266 (GCVE-0-2010-4266)

Vulnerability from cvelistv5 – Published: 2021-06-22 13:38 – Updated: 2024-08-07 03:43
VLAI
Summary
It was found in vanilla forums before 2.0.10 a potential linkbait vulnerability in dispatcher.
Severity
No CVSS data available.
CWE
Assigner
References
Impacted products
Vendor Product Version
n/a vanilla forums Affected: vanilla forums before 2.0.10
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T03:43:13.298Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://open.vanillaforums.com/discussion/13119/vanilla-2.0.10-released/p1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vanilla forums",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "vanilla forums before 2.0.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found in vanilla forums before 2.0.10 a potential linkbait vulnerability in dispatcher."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-22T13:38:24.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://open.vanillaforums.com/discussion/13119/vanilla-2.0.10-released/p1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2010-4266",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "vanilla forums",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "vanilla forums before 2.0.10"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was found in vanilla forums before 2.0.10 a potential linkbait vulnerability in dispatcher."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-601"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://open.vanillaforums.com/discussion/13119/vanilla-2.0.10-released/p1",
              "refsource": "MISC",
              "url": "https://open.vanillaforums.com/discussion/13119/vanilla-2.0.10-released/p1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2010-4266",
    "datePublished": "2021-06-22T13:38:24.000Z",
    "dateReserved": "2010-11-16T00:00:00.000Z",
    "dateUpdated": "2024-08-07T03:43:13.298Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2005-10001 (GCVE-0-2005-10001)

Vulnerability from cvelistv5 – Published: 2022-03-28 20:45 – Updated: 2025-04-15 14:45 Unsupported When Assigned
VLAI
Title
Netegrity SiteMinder Login smpwservicescgi.exe redirect
Summary
A vulnerability was found in Netegrity SiteMinder up to 4.5.1 and classified as critical. Affected by this issue is the file /siteminderagent/pwcgi/smpwservicescgi.exe of the component Login. The manipulation of the argument target leads to an open redirect. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://vuldb.com/?id.1022 x_refsource_MISC
Impacted products
Vendor Product Version
Netegrity SiteMinder Affected: 4.5.0
Affected: 4.5.1
Create a notification for this product.
Credits
Marc Ruef
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-08T00:01:23.500Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.1022"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2005-10001",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-14T17:15:38.326553Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-15T14:45:26.644Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SiteMinder",
          "vendor": "Netegrity",
          "versions": [
            {
              "status": "affected",
              "version": "4.5.0"
            },
            {
              "status": "affected",
              "version": "4.5.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Marc Ruef"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Netegrity SiteMinder up to 4.5.1 and classified as critical. Affected by this issue is the file /siteminderagent/pwcgi/smpwservicescgi.exe of the component Login. The manipulation of the argument target leads to an open redirect. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601 Open Redirect",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-28T20:45:47.000Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://vuldb.com/?id.1022"
        }
      ],
      "tags": [
        "unsupported-when-assigned"
      ],
      "title": "Netegrity SiteMinder Login smpwservicescgi.exe redirect",
      "x_generator": "vuldb.com",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@vuldb.com",
          "ID": "CVE-2005-10001",
          "REQUESTER": "cna@vuldb.com",
          "STATE": "PUBLIC",
          "TITLE": "Netegrity SiteMinder Login smpwservicescgi.exe redirect"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SiteMinder",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "4.5.0"
                          },
                          {
                            "version_value": "4.5.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Netegrity"
              }
            ]
          }
        },
        "credit": "Marc Ruef",
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Netegrity SiteMinder up to 4.5.1 and classified as critical. Affected by this issue is the file /siteminderagent/pwcgi/smpwservicescgi.exe of the component Login. The manipulation of the argument target leads to an open redirect. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer."
            }
          ]
        },
        "generator": "vuldb.com",
        "impact": {
          "cvss": {
            "baseScore": "5.4",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-601 Open Redirect"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://vuldb.com/?id.1022",
              "refsource": "MISC",
              "url": "https://vuldb.com/?id.1022"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2005-10001",
    "datePublished": "2022-03-28T20:45:47.000Z",
    "dateReserved": "2022-01-28T00:00:00.000Z",
    "dateUpdated": "2025-04-15T14:45:26.644Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-2233-5GM5-6Q44

Vulnerability from github – Published: 2022-05-17 02:27 – Updated: 2025-04-20 03:40
VLAI
Details

Koozali Foundation SME Server versions 8.x, 9.x, 10.x are vulnerable to an open URL redirect vulnerability in the user web login function resulting in unauthorized account access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-17T13:18:00Z",
    "severity": "MODERATE"
  },
  "details": "Koozali Foundation SME Server versions 8.x, 9.x, 10.x are vulnerable to an open URL redirect vulnerability in the user web login function resulting in unauthorized account access.",
  "id": "GHSA-2233-5gm5-6q44",
  "modified": "2025-04-20T03:40:43Z",
  "published": "2022-05-17T02:27:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000027"
    },
    {
      "type": "WEB",
      "url": "https://cp270.wordpress.com/2017/02/02/security-advisory-open-url-redirect-in-sme-server"
    },
    {
      "type": "WEB",
      "url": "https://forums.contribs.org/index.php/topic%2C52838.0.html"
    },
    {
      "type": "WEB",
      "url": "https://forums.contribs.org/index.php/topic,52838.0.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-224P-6F6C-J2F6

Vulnerability from github – Published: 2025-10-15 00:30 – Updated: 2025-10-15 00:30
VLAI
Details

Adobe Connect versions 12.9 and earlier are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. An attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction in that a victim must click on a crafted link.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54196"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-14T22:15:38Z",
    "severity": "LOW"
  },
  "details": "Adobe Connect versions 12.9 and earlier are affected by a URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability. An attacker could leverage this vulnerability to redirect users to malicious websites.  Exploitation of this issue requires user interaction in that a victim must click on a crafted link.",
  "id": "GHSA-224p-6f6c-j2f6",
  "modified": "2025-10-15T00:30:59Z",
  "published": "2025-10-15T00:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54196"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/connect/apsb25-70.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-22M3-C7VP-49FJ

Vulnerability from github – Published: 2026-03-04 20:33 – Updated: 2026-03-06 15:16
VLAI
Summary
IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links
Details

Impact

An attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account's mntners and perform other account actions.

If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password.

This issue affects IRRD 4.5.0 and all 4.4.x versions prior to 4.4.5. IRRD 4.3 and earlier are not affected, as they did not include the web UI.

Cause

Email links in account creation, password reset, and mntner migration emails were generated from the HTTP request context, allowing an attacker to manipulate the HTTP Host header to redirect these links to an attacker-controlled domain (password reset poisoning).

Resolution

Requests with a Host header that does not match server.http.url are now rejected, preventing Host header injection attacks against the web UI.

All existing password reset tokens are invalidated by this upgrade, rendering any tokens that may have been captured by an attacker unusable.

Patched versions: 4.4.5 and 4.5.1.

Workarounds

Configuring a reverse proxy (such as nginx) to reject requests where the Host header does not match the expected hostname is an effective workaround. Enabling two-factor authentication is strongly recommended for all users, as it prevents account takeover even if a password reset token is compromised.

Detecting exploitation

Because the victim never interacts with the real IRRD instance in this attack, it is difficult to detect exploitation from logs alone.

Indicators that an account was targeted or compromised:

  • A password reset email requested followed by password (re)set successfully where the delay is longer than expected. Legitimate users actively waiting for a reset email tend to complete it quickly; victims who receive an unexpected email are less likely to click it immediately, resulting in a longer delay.
  • Users receiving a password reset mail without requesting one.
  • If a successfully attacked user later attempts to log in with their original password, this appears in the logs as user failed login due to invalid account or password.

After upgrading to a patched release, all existing password reset tokens are invalidated. Users who can still log in with their password after the upgrade can be certain their account has not been taken over.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "irrd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.4.0"
            },
            {
              "fixed": "4.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "irrd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.0"
            },
            {
              "fixed": "4.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28681"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601",
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-04T20:33:21Z",
    "nvd_published_at": "2026-03-06T05:16:37Z",
    "severity": "HIGH"
  },
  "details": "## Impact\n\nAn attacker can manipulate the HTTP `Host` header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account\u0027s mntners and perform other account actions.\n\nIf the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password.\n\nThis issue affects IRRD 4.5.0 and all 4.4.x versions prior to 4.4.5. IRRD 4.3 and earlier are not affected, as they did not include the web UI.\n\n## Cause\n\nEmail links in account creation, password reset, and mntner migration emails were generated from the HTTP request context, allowing an attacker to manipulate the HTTP `Host` header to redirect these links to an attacker-controlled domain (password reset poisoning).\n\n## Resolution\n\nRequests with a `Host` header that does not match `server.http.url` are now rejected, preventing Host header injection attacks against the web UI.\n\nAll existing password reset tokens are invalidated by this upgrade, rendering any tokens that may have been captured by an attacker unusable.\n\nPatched versions: 4.4.5 and 4.5.1.\n\n## Workarounds\n\nConfiguring a reverse proxy (such as nginx) to reject requests where the `Host` header does not match the expected hostname is an effective workaround. Enabling two-factor authentication is strongly recommended for all users, as it prevents account takeover even if a password reset token is compromised.\n\n## Detecting exploitation\n\nBecause the victim never interacts with the real IRRD instance in this attack, it is difficult to detect exploitation from logs alone.\n\nIndicators that an account was targeted or compromised:\n\n- A `password reset email requested` followed by `password (re)set successfully` where the delay is longer than expected. Legitimate users actively waiting for a reset email tend to complete it quickly; victims who receive an unexpected email are less likely to click it immediately, resulting in a longer delay.\n- Users receiving a password reset mail without requesting one.\n- If a successfully attacked user later attempts to log in with their original password, this appears in the logs as `user failed login due to invalid account or password`.\n\nAfter upgrading to a patched release, all existing password reset tokens are invalidated. Users who can still log in with their password after the upgrade can be certain their account has not been taken over.",
  "id": "GHSA-22m3-c7vp-49fj",
  "modified": "2026-03-06T15:16:30Z",
  "published": "2026-03-04T20:33:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/irrdnet/irrd/security/advisories/GHSA-22m3-c7vp-49fj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28681"
    },
    {
      "type": "WEB",
      "url": "https://github.com/irrdnet/irrd/commit/8408e0f1b9f47eb2f2e712d6153e32194df05fbb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/irrdnet/irrd/commit/cf62df4a49d3891e80b2879d9b324d1af050000c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/irrdnet/irrd"
    },
    {
      "type": "WEB",
      "url": "https://irrd.readthedocs.io/en/stable/releases/4.4.5"
    },
    {
      "type": "WEB",
      "url": "https://irrd.readthedocs.io/en/stable/releases/4.5.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links"
}

GHSA-22W7-M5F8-87VH

Vulnerability from github – Published: 2023-06-15 06:30 – Updated: 2025-08-08 21:12
VLAI
Summary
Liferay Portal and Liferay DXP Vulnerable to Open Redirect via the Layout Module
Details

Open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL parameter.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.portal.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.4.3.70-ga70"
            },
            {
              "fixed": "7.4.3.77-ga77"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.4.13.u70"
            },
            {
              "last_affected": "7.4.13.u76"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-35029"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-08T21:12:20Z",
    "nvd_published_at": "2023-06-15T04:15:34Z",
    "severity": "MODERATE"
  },
  "details": "Open redirect vulnerability in the Layout module\u0027s SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.",
  "id": "GHSA-22w7-m5f8-87vh",
  "modified": "2025-08-08T21:12:21Z",
  "published": "2023-06-15T06:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35029"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.atlassian.net/browse/LPE-17403"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35029?p_r_p_assetEntryId=121861874\u0026_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121861874%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Liferay Portal and Liferay DXP Vulnerable to Open Redirect via the Layout Module"
}

GHSA-22WQ-Q86M-83FH

Vulnerability from github – Published: 2025-08-12 20:20 – Updated: 2025-08-12 20:20
VLAI
Summary
svg-sanitizer Bypasses Attribute Sanitization
Details

Problem

The sanitization logic at https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481 only searches for lower-case attribute names (e.g. xlink:href instead of xlink:HrEf), which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains.

Proof-of-concept

provided by azizk

<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100">
  <a xlink:hReF="javascript:alert(document.domain)">
    <rect width="100" height="50" fill="red"></rect>
    <text x="50" y="30" text-anchor="middle" fill="white">Click me</text>
  </a>
</svg>

Credits

The mentioned findings and proof-of-concept example were reported to the TYPO3 Security Team by the external security researcher azizk <medazizknani@gmail.com>.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "enshrined/svg-sanitize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.22.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55166"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-12T20:20:58Z",
    "nvd_published_at": "2025-08-12T17:15:39Z",
    "severity": "MODERATE"
  },
  "details": "#### Problem\n\nThe sanitization logic at https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481 only searches for lower-case attribute names (e.g. `xlink:href` instead of `xlink:HrEf`), which allows to by-pass the `isHrefSafeValue` check. As a result this allows cross-site scripting or linking to external domains.\n\n#### Proof-of-concept\n_provided by azizk_\n\n```\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" width=\"100\" height=\"100\"\u003e\n  \u003ca xlink:hReF=\"javascript:alert(document.domain)\"\u003e\n    \u003crect width=\"100\" height=\"50\" fill=\"red\"\u003e\u003c/rect\u003e\n    \u003ctext x=\"50\" y=\"30\" text-anchor=\"middle\" fill=\"white\"\u003eClick me\u003c/text\u003e\n  \u003c/a\u003e\n\u003c/svg\u003e\n```\n\n#### Credits\n\nThe mentioned findings and proof-of-concept example were reported to the TYPO3 Security Team by the external security researcher `azizk \u003cmedazizknani@gmail.com\u003e`.",
  "id": "GHSA-22wq-q86m-83fh",
  "modified": "2025-08-12T20:20:59Z",
  "published": "2025-08-12T20:20:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-22wq-q86m-83fh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55166"
    },
    {
      "type": "WEB",
      "url": "https://github.com/darylldoyle/svg-sanitizer/commit/0afa95ea74be155a7bcd6c6fb60c276c39984500"
    },
    {
      "type": "WEB",
      "url": "https://github.com/darylldoyle/svg-sanitizer/commit/5a0a1eaf0c6b0b540dc945fe30c93cf106b357c1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/darylldoyle/svg-sanitizer"
    },
    {
      "type": "WEB",
      "url": "https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481"
    },
    {
      "type": "WEB",
      "url": "https://github.com/darylldoyle/svg-sanitizer/releases/tag/0.22.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "svg-sanitizer Bypasses Attribute Sanitization"
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • Use a list of approved URLs or domains to be used for redirection.
Mitigation
Architecture and Design

Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.

Mitigation MIT-21.2
Architecture and Design

Strategy: Enforcement by Conversion

  • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
  • For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Architecture and Design

Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).

Mitigation MIT-6
Architecture and Design Implementation

Strategy: Attack Surface Reduction

  • Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
  • Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-178: Cross-Site Flashing

An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.