CWE-601
AllowedURL Redirection to Untrusted Site ('Open Redirect')
Abstraction: Base · Status: Draft
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
2305 vulnerabilities reference this CWE, most recent first.
GHSA-W2C2-H6W5-J5PF
Vulnerability from github – Published: 2022-05-24 17:05 – Updated: 2024-04-04 02:45Open redirect vulnerability in PowerCMS 5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL.
{
"affected": [],
"aliases": [
"CVE-2019-6020"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-26T16:15:00Z",
"severity": "MODERATE"
},
"details": "Open redirect vulnerability in PowerCMS 5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL.",
"id": "GHSA-w2c2-h6w5-j5pf",
"modified": "2024-04-04T02:45:36Z",
"published": "2022-05-24T17:05:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6020"
},
{
"type": "WEB",
"url": "https://www.powercms.jp/news/release-powercms-201910.html"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN34634458/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W2J7-F3C6-G8CW
Vulnerability from github – Published: 2026-06-23 22:46 – Updated: 2026-06-23 22:46Open Redirect in Flask-Security
Summary
flask_security.utils.validate_redirect_url() can allow an attacker-controlled redirect URL when subdomain redirects are enabled.
The bypass uses a backslash inside the URL authority/host:
http://evil.com\.whitelist.com
http://evil.com%5C.whitelist.com
Python's urlsplit() parses the full authority as evil.com\.whitelist.com or evil.com%5C.whitelist.com. Because the value ends with .whitelist.com, validate_redirect_url() accepts it as an allowed subdomain of whitelist.com.
This is similar in class to the previous Flask-Security-Too open redirect advisory CVE-2023-49438 / GHSA-672h-6x89-76m5, where crafted redirect URLs bypassed validation through browser URL normalization behavior.
Affected Configuration
The issue requires subdomain redirects to be enabled:
SERVER_NAME = "whitelist.com"
SECURITY_REDIRECT_ALLOW_SUBDOMAINS = True
Tested environment:
Flask-Security: 5.8.0
Flask: 3.1.3
Werkzeug: 3.1.8
Impact
An attacker can craft a URL that passes Flask-Security's redirect validation and produces a 302 response to an attacker-controlled URL-like authority.
This can be used for phishing or other attacks that rely on a trusted application redirecting users to an attacker-controlled destination.
Proof of Concept
PoC Flask App
from __future__ import annotations
from importlib.metadata import version
from urllib.parse import urlsplit
from flask import Flask, jsonify, redirect, request
from flask_security.utils import validate_redirect_url
app = Flask(__name__)
app.config.update(
SECRET_KEY="poc-only",
SERVER_NAME="whitelist.com",
SECURITY_REDIRECT_ALLOW_SUBDOMAINS=True,
SECURITY_REDIRECT_BASE_DOMAIN=None,
SECURITY_REDIRECT_ALLOWED_SUBDOMAINS=[],
)
@app.get("/")
def index():
return jsonify(
flask_version=version("Flask"),
configured_server_name=app.config["SERVER_NAME"],
examples=[
r"http://evil.com\.whitelist.com",
"http://evil.com%5C.whitelist.com",
"http://sub.whitelist.com",
"http://sub.not-whitelist.com",
],
)
@app.get("/check")
def check():
next_url = request.args.get("next", "")
parsed = urlsplit(next_url)
return jsonify(
next=next_url,
valid=validate_redirect_url(next_url),
parsed={
"scheme": parsed.scheme,
"netloc": parsed.netloc,
"hostname": parsed.hostname,
"path": parsed.path,
},
)
@app.get("/redir")
def redir():
next_url = request.args.get("next", "")
if not validate_redirect_url(next_url):
return jsonify(error="blocked", next=next_url), 400
return redirect(next_url)
if __name__ == "__main__":
app.run(host="127.0.0.1", port=5000, debug=False)
Steps to Reproduce
Run the PoC with the target project's Flask version:
.venv/bin/python poc_redirect_app.py
The invalid comparison case is correctly blocked:
http://127.0.0.1:5000/redir?next=http://evil.com
Observed result:
Check the validation result:
http://127.0.0.1:5000/check?next=http://evil.com%5C.whitelist.com
Observed result:
References
- CVE-2023-49438: https://advisories.gitlab.com/pypi/flask-security-too/CVE-2023-49438/
- GHSA-672h-6x89-76m5: https://osv.dev/vulnerability/CVE-2023-49438
- NVD entry for CVE-2023-49438: https://nvd.nist.gov/vuln/detail/CVE-2023-49438
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.8.0"
},
"package": {
"ecosystem": "PyPI",
"name": "Flask-Security"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-23T22:46:31Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "# Open Redirect in Flask-Security\n\n## Summary\n\n`flask_security.utils.validate_redirect_url()` can allow an attacker-controlled redirect URL when subdomain redirects are enabled.\n\nThe bypass uses a backslash inside the URL authority/host:\n\n```text\nhttp://evil.com\\.whitelist.com\nhttp://evil.com%5C.whitelist.com\n```\n\nPython\u0027s `urlsplit()` parses the full authority as `evil.com\\.whitelist.com` or `evil.com%5C.whitelist.com`. Because the value ends with `.whitelist.com`, `validate_redirect_url()` accepts it as an allowed subdomain of `whitelist.com`.\n\nThis is similar in class to the previous Flask-Security-Too open redirect advisory CVE-2023-49438 / GHSA-672h-6x89-76m5, where crafted redirect URLs bypassed validation through browser URL normalization behavior.\n\n## Affected Configuration\n\nThe issue requires subdomain redirects to be enabled:\n\n```python\nSERVER_NAME = \"whitelist.com\"\nSECURITY_REDIRECT_ALLOW_SUBDOMAINS = True\n```\n\nTested environment:\n\n```text\nFlask-Security: 5.8.0\nFlask: 3.1.3\nWerkzeug: 3.1.8\n```\n\n## Impact\n\nAn attacker can craft a URL that passes Flask-Security\u0027s redirect validation and produces a `302` response to an attacker-controlled URL-like authority.\n\nThis can be used for phishing or other attacks that rely on a trusted application redirecting users to an attacker-controlled destination.\n\n## Proof of Concept\n\n### PoC Flask App\n\n```python\nfrom __future__ import annotations\n\nfrom importlib.metadata import version\nfrom urllib.parse import urlsplit\n\nfrom flask import Flask, jsonify, redirect, request\n\nfrom flask_security.utils import validate_redirect_url\n\n\napp = Flask(__name__)\napp.config.update(\n SECRET_KEY=\"poc-only\",\n SERVER_NAME=\"whitelist.com\",\n SECURITY_REDIRECT_ALLOW_SUBDOMAINS=True,\n SECURITY_REDIRECT_BASE_DOMAIN=None,\n SECURITY_REDIRECT_ALLOWED_SUBDOMAINS=[],\n)\n\n\n@app.get(\"/\")\ndef index():\n return jsonify(\n flask_version=version(\"Flask\"),\n configured_server_name=app.config[\"SERVER_NAME\"],\n examples=[\n r\"http://evil.com\\.whitelist.com\",\n \"http://evil.com%5C.whitelist.com\",\n \"http://sub.whitelist.com\",\n \"http://sub.not-whitelist.com\",\n ],\n )\n\n\n@app.get(\"/check\")\ndef check():\n next_url = request.args.get(\"next\", \"\")\n parsed = urlsplit(next_url)\n\n return jsonify(\n next=next_url,\n valid=validate_redirect_url(next_url),\n parsed={\n \"scheme\": parsed.scheme,\n \"netloc\": parsed.netloc,\n \"hostname\": parsed.hostname,\n \"path\": parsed.path,\n },\n )\n\n\n@app.get(\"/redir\")\ndef redir():\n next_url = request.args.get(\"next\", \"\")\n if not validate_redirect_url(next_url):\n return jsonify(error=\"blocked\", next=next_url), 400\n\n return redirect(next_url)\n\n\nif __name__ == \"__main__\":\n app.run(host=\"127.0.0.1\", port=5000, debug=False)\n```\n\n### Steps to Reproduce\n\nRun the PoC with the target project\u0027s Flask version:\n\n```bash\n.venv/bin/python poc_redirect_app.py\n```\n\nThe invalid comparison case is correctly blocked:\n\n```bash\nhttp://127.0.0.1:5000/redir?next=http://evil.com\n```\n\nObserved result:\n\n\u003cimg width=\"1019\" height=\"294\" alt=\"image\" src=\"https://github.com/user-attachments/assets/de25ac4d-b37f-4369-928e-f44dfd5b7557\" /\u003e\n\nCheck the validation result:\n\n```bash\nhttp://127.0.0.1:5000/check?next=http://evil.com%5C.whitelist.com\n```\n\nObserved result:\n\n\u003cimg width=\"1029\" height=\"634\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8e5ec8a6-42a4-438a-8d12-a27724519091\" /\u003e\n\n## References\n\n- CVE-2023-49438: https://advisories.gitlab.com/pypi/flask-security-too/CVE-2023-49438/\n- GHSA-672h-6x89-76m5: https://osv.dev/vulnerability/CVE-2023-49438\n- NVD entry for CVE-2023-49438: https://nvd.nist.gov/vuln/detail/CVE-2023-49438",
"id": "GHSA-w2j7-f3c6-g8cw",
"modified": "2026-06-23T22:46:31Z",
"published": "2026-06-23T22:46:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pallets-eco/flask-security/security/advisories/GHSA-w2j7-f3c6-g8cw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49438"
},
{
"type": "WEB",
"url": "https://advisories.gitlab.com/pypi/flask-security-too/CVE-2023-49438"
},
{
"type": "PACKAGE",
"url": "https://github.com/pallets-eco/flask-security"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-49438"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Flask-Security has an Open Redirect issue"
}
GHSA-W2X5-HPMG-J98H
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2023-10-20 22:49A vulnerability was found in Artesãos SEOTools up to and including version 0.17.1. This issue affects the function eachValue of the file TwitterCards.php. The manipulation of the argument value leads to open redirect. Upgrading to version 0.17.2 is able to address this issue. The name of the patch is ca27cd0edf917e0bc805227013859b8b5a1f01fb. It is recommended to upgrade the affected component. The identifier VDB-222233 was assigned to this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "artesaos/seotools"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.17.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36665"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-06T21:49:53Z",
"nvd_published_at": "2023-03-04T19:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Artes\u00e3os SEOTools up to and including version 0.17.1. This issue affects the function eachValue of the file TwitterCards.php. The manipulation of the argument value leads to open redirect. Upgrading to version 0.17.2 is able to address this issue. The name of the patch is ca27cd0edf917e0bc805227013859b8b5a1f01fb. It is recommended to upgrade the affected component. The identifier VDB-222233 was assigned to this vulnerability.\n\n",
"id": "GHSA-w2x5-hpmg-j98h",
"modified": "2023-10-20T22:49:17Z",
"published": "2023-07-06T19:24:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36665"
},
{
"type": "WEB",
"url": "https://github.com/artesaos/seotools/pull/201"
},
{
"type": "WEB",
"url": "https://github.com/artesaos/seotools/commit/ca27cd0edf917e0bc805227013859b8b5a1f01fb"
},
{
"type": "PACKAGE",
"url": "https://github.com/artesaos/seotools"
},
{
"type": "WEB",
"url": "https://github.com/artesaos/seotools/releases/tag/v0.17.2"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.222233"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.222233"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Artes\u00e3os SEOTools Open Redirect vulnerability"
}
GHSA-W34G-4JQC-CW8G
Vulnerability from github – Published: 2022-05-14 03:40 – Updated: 2022-05-14 03:40Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1.
{
"affected": [],
"aliases": [
"CVE-2017-18178"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-12T14:29:00Z",
"severity": "MODERATE"
},
"details": "Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue in which an authentication token is sent to the redirection target, if the target is specified using a certain %40 syntax. This is fixed in 10.1.",
"id": "GHSA-w34g-4jqc-cw8g",
"modified": "2022-05-14T03:40:10Z",
"published": "2022-05-14T03:40:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18178"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/143894/Progress-Sitefinity-9.1-XSS-Session-Management-Open-Redirect.html"
},
{
"type": "WEB",
"url": "https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-progress-sitefinity/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W397-9P2J-6X23
Vulnerability from github – Published: 2022-09-23 00:00 – Updated: 2025-07-16 14:47HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirectparameter (2)FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.portal.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.3.1-ga2"
},
{
"fixed": "7.4.3.4-ga4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.10.fp91"
},
{
"fixed": "7.0.10.fp101"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.1.10.fp17"
},
{
"fixed": "7.1.10.fp25"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.2.10.fp5"
},
{
"fixed": "7.2.10.fp14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:com.liferay.util.java"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-28977"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-16T14:47:57Z",
"nvd_published_at": "2022-09-22T01:15:00Z",
"severity": "MODERATE"
},
"details": "HtmlUtil.escapeRedirect in Liferay Portal 7.3.1 through 7.4.2, and Liferay DXP 7.0 fix pack 91 through 101, 7.1 fix pack 17 through 25, 7.2 fix pack 5 through 14, and 7.3 before service pack 3 can be circumvented by using multiple forward slashes, which allows remote attackers to redirect users to arbitrary external URLs via the (1) \u0027redirect` parameter (2) `FORWARD_URL` parameter, and (3) others parameters that rely on HtmlUtil.escapeRedirect.",
"id": "GHSA-w397-9p2j-6x23",
"modified": "2025-07-16T14:47:57Z",
"published": "2022-09-23T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28977"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/242e8bcabe3e8767799d3d1e6c021a75b4ada11b"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/6389885476414d3cd9e3092b4708906a5bdc8a48"
},
{
"type": "WEB",
"url": "https://github.com/liferay/liferay-portal/commit/8aa3fd76f34d1a4562bd5b4f82931a0a124e31a8"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.atlassian.net/browse/LPE-17327"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-28977?p_r_p_assetEntryId=121612261\u0026_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121612261%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20220922060039/https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-28977-htmlutil.escaperedirect-circumvention-with-multiple-forward-slash"
},
{
"type": "WEB",
"url": "http://liferay.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Liferay Portal and Liferay DXP HtmlUtil.escapeRedirect Can Be Circumvented"
}
GHSA-W3JC-X7JX-9RXX
Vulnerability from github – Published: 2024-05-02 18:30 – Updated: 2026-04-08 18:33The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 4.0.30. This is due to insufficient validation on the redirect url supplied via the redirect_to parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
{
"affected": [],
"aliases": [
"CVE-2024-4133"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-02T17:15:35Z",
"severity": "MODERATE"
},
"details": "The ARMember \u2013 Membership Plugin, Content Restriction, Member Levels, User Profile \u0026 User signup plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 4.0.30. This is due to insufficient validation on the redirect url supplied via the redirect_to parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.",
"id": "GHSA-w3jc-x7jx-9rxx",
"modified": "2026-04-08T18:33:05Z",
"published": "2024-05-02T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4133"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3078683%40armember-membership%2Ftrunk\u0026old=3069538%40armember-membership%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80d113aa-7401-4b58-a755-f64146d9fb08?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W3M5-M73F-FM2C
Vulnerability from github – Published: 2023-03-25 18:30 – Updated: 2023-03-30 21:30A vulnerability classified as problematic has been found in Arno0x TwoFactorAuth. This affects an unknown part of the file login/login.php. The manipulation of the argument from leads to open redirect. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The name of the patch is 8549ad3cf197095f783643e41333586d6a4d0e54. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-223803.
{
"affected": [],
"aliases": [
"CVE-2016-15030"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-25T18:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic has been found in Arno0x TwoFactorAuth. This affects an unknown part of the file login/login.php. The manipulation of the argument from leads to open redirect. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The name of the patch is 8549ad3cf197095f783643e41333586d6a4d0e54. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-223803.",
"id": "GHSA-w3m5-m73f-fm2c",
"modified": "2023-03-30T21:30:24Z",
"published": "2023-03-25T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-15030"
},
{
"type": "WEB",
"url": "https://github.com/Arno0x/TwoFactorAuth/pull/3"
},
{
"type": "WEB",
"url": "https://github.com/Arno0x/TwoFactorAuth/commit/8549ad3cf197095f783643e41333586d6a4d0e54"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.223803"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.223803"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W3P6-94X2-XCVM
Vulnerability from github – Published: 2022-05-17 04:03 – Updated: 2023-08-04 23:08Open redirect vulnerability in Apache Ambari before 2.1.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the targetURI parameter.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.ambari:ambari"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-5210"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-04T23:08:41Z",
"nvd_published_at": "2015-11-02T19:59:00Z",
"severity": "MODERATE"
},
"details": "Open redirect vulnerability in Apache Ambari before 2.1.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the targetURI parameter.",
"id": "GHSA-w3p6-94x2-xcvm",
"modified": "2023-08-04T23:08:41Z",
"published": "2022-05-17T04:03:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5210"
},
{
"type": "WEB",
"url": "https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities#AmbariVulnerabilities-FixedinAmbari2.1.2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/10/13/4"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Apache Ambari Open Redirect"
}
GHSA-W442-Q9G5-Q7V3
Vulnerability from github – Published: 2022-11-01 12:00 – Updated: 2022-11-02 12:00The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.12.2 is susceptible to a URL parsing vulnerability. If a malicious Zoom meeting URL is opened, the malicious link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers.
{
"affected": [],
"aliases": [
"CVE-2022-28763"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-31T20:15:00Z",
"severity": "CRITICAL"
},
"details": "The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.12.2 is susceptible to a URL parsing vulnerability. If a malicious Zoom meeting URL is opened, the malicious link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers.",
"id": "GHSA-w442-q9g5-q7v3",
"modified": "2022-11-02T12:00:44Z",
"published": "2022-11-01T12:00:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28763"
},
{
"type": "WEB",
"url": "https://explore.zoom.us/en/trust/security/security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W47Q-3FHM-CHGW
Vulnerability from github – Published: 2022-05-17 02:15 – Updated: 2022-05-17 02:15There is URL Redirector Abuse in MetInfo through 5.3.17 via the gourl parameter to member/login.php.
{
"affected": [],
"aliases": [
"CVE-2017-11718"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-28T05:29:00Z",
"severity": "MODERATE"
},
"details": "There is URL Redirector Abuse in MetInfo through 5.3.17 via the gourl parameter to member/login.php.",
"id": "GHSA-w47q-3fhm-chgw",
"modified": "2022-05-17T02:15:36Z",
"published": "2022-05-17T02:15:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11718"
},
{
"type": "WEB",
"url": "https://lncken.cn/?p=350"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- Use a list of approved URLs or domains to be used for redirection.
Mitigation
Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
Mitigation MIT-21.2
Strategy: Enforcement by Conversion
- When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
- For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).
Mitigation MIT-6
Strategy: Attack Surface Reduction
- Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
- Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-178: Cross-Site Flashing
An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.