CWE-601
AllowedURL Redirection to Untrusted Site ('Open Redirect')
Abstraction: Base · Status: Draft
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
2312 vulnerabilities reference this CWE, most recent first.
GHSA-224P-6F6C-J2F6
Vulnerability from github – Published: 2025-10-15 00:30 – Updated: 2025-10-15 00:30Adobe Connect versions 12.9 and earlier are affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. An attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction in that a victim must click on a crafted link.
{
"affected": [],
"aliases": [
"CVE-2025-54196"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T22:15:38Z",
"severity": "LOW"
},
"details": "Adobe Connect versions 12.9 and earlier are affected by a URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability. An attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction in that a victim must click on a crafted link.",
"id": "GHSA-224p-6f6c-j2f6",
"modified": "2025-10-15T00:30:59Z",
"published": "2025-10-15T00:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54196"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/connect/apsb25-70.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-22M3-C7VP-49FJ
Vulnerability from github – Published: 2026-03-04 20:33 – Updated: 2026-03-06 15:16Impact
An attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account's mntners and perform other account actions.
If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password.
This issue affects IRRD 4.5.0 and all 4.4.x versions prior to 4.4.5. IRRD 4.3 and earlier are not affected, as they did not include the web UI.
Cause
Email links in account creation, password reset, and mntner migration emails were generated from the HTTP request context, allowing an attacker to manipulate the HTTP Host header to redirect these links to an attacker-controlled domain (password reset poisoning).
Resolution
Requests with a Host header that does not match server.http.url are now rejected, preventing Host header injection attacks against the web UI.
All existing password reset tokens are invalidated by this upgrade, rendering any tokens that may have been captured by an attacker unusable.
Patched versions: 4.4.5 and 4.5.1.
Workarounds
Configuring a reverse proxy (such as nginx) to reject requests where the Host header does not match the expected hostname is an effective workaround. Enabling two-factor authentication is strongly recommended for all users, as it prevents account takeover even if a password reset token is compromised.
Detecting exploitation
Because the victim never interacts with the real IRRD instance in this attack, it is difficult to detect exploitation from logs alone.
Indicators that an account was targeted or compromised:
- A
password reset email requestedfollowed bypassword (re)set successfullywhere the delay is longer than expected. Legitimate users actively waiting for a reset email tend to complete it quickly; victims who receive an unexpected email are less likely to click it immediately, resulting in a longer delay. - Users receiving a password reset mail without requesting one.
- If a successfully attacked user later attempts to log in with their original password, this appears in the logs as
user failed login due to invalid account or password.
After upgrading to a patched release, all existing password reset tokens are invalidated. Users who can still log in with their password after the upgrade can be certain their account has not been taken over.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "irrd"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "irrd"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.0"
},
{
"fixed": "4.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28681"
],
"database_specific": {
"cwe_ids": [
"CWE-601",
"CWE-640"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-04T20:33:21Z",
"nvd_published_at": "2026-03-06T05:16:37Z",
"severity": "HIGH"
},
"details": "## Impact\n\nAn attacker can manipulate the HTTP `Host` header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account\u0027s mntners and perform other account actions.\n\nIf the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password.\n\nThis issue affects IRRD 4.5.0 and all 4.4.x versions prior to 4.4.5. IRRD 4.3 and earlier are not affected, as they did not include the web UI.\n\n## Cause\n\nEmail links in account creation, password reset, and mntner migration emails were generated from the HTTP request context, allowing an attacker to manipulate the HTTP `Host` header to redirect these links to an attacker-controlled domain (password reset poisoning).\n\n## Resolution\n\nRequests with a `Host` header that does not match `server.http.url` are now rejected, preventing Host header injection attacks against the web UI.\n\nAll existing password reset tokens are invalidated by this upgrade, rendering any tokens that may have been captured by an attacker unusable.\n\nPatched versions: 4.4.5 and 4.5.1.\n\n## Workarounds\n\nConfiguring a reverse proxy (such as nginx) to reject requests where the `Host` header does not match the expected hostname is an effective workaround. Enabling two-factor authentication is strongly recommended for all users, as it prevents account takeover even if a password reset token is compromised.\n\n## Detecting exploitation\n\nBecause the victim never interacts with the real IRRD instance in this attack, it is difficult to detect exploitation from logs alone.\n\nIndicators that an account was targeted or compromised:\n\n- A `password reset email requested` followed by `password (re)set successfully` where the delay is longer than expected. Legitimate users actively waiting for a reset email tend to complete it quickly; victims who receive an unexpected email are less likely to click it immediately, resulting in a longer delay.\n- Users receiving a password reset mail without requesting one.\n- If a successfully attacked user later attempts to log in with their original password, this appears in the logs as `user failed login due to invalid account or password`.\n\nAfter upgrading to a patched release, all existing password reset tokens are invalidated. Users who can still log in with their password after the upgrade can be certain their account has not been taken over.",
"id": "GHSA-22m3-c7vp-49fj",
"modified": "2026-03-06T15:16:30Z",
"published": "2026-03-04T20:33:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/irrdnet/irrd/security/advisories/GHSA-22m3-c7vp-49fj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28681"
},
{
"type": "WEB",
"url": "https://github.com/irrdnet/irrd/commit/8408e0f1b9f47eb2f2e712d6153e32194df05fbb"
},
{
"type": "WEB",
"url": "https://github.com/irrdnet/irrd/commit/cf62df4a49d3891e80b2879d9b324d1af050000c"
},
{
"type": "PACKAGE",
"url": "https://github.com/irrdnet/irrd"
},
{
"type": "WEB",
"url": "https://irrd.readthedocs.io/en/stable/releases/4.4.5"
},
{
"type": "WEB",
"url": "https://irrd.readthedocs.io/en/stable/releases/4.5.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links"
}
GHSA-22W7-M5F8-87VH
Vulnerability from github – Published: 2023-06-15 06:30 – Updated: 2025-08-08 21:12Open redirect vulnerability in the Layout module's SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL parameter.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.portal.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.4.3.70-ga70"
},
{
"fixed": "7.4.3.77-ga77"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.dxp.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.4.13.u70"
},
{
"last_affected": "7.4.13.u76"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-35029"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-08T21:12:20Z",
"nvd_published_at": "2023-06-15T04:15:34Z",
"severity": "MODERATE"
},
"details": "Open redirect vulnerability in the Layout module\u0027s SEO configuration in Liferay Portal 7.4.3.70 through 7.4.3.76, and Liferay DXP 7.4 update 70 through 76 allows remote attackers to redirect users to arbitrary external URLs via the `_com_liferay_layout_admin_web_portlet_GroupPagesPortlet_backURL` parameter.",
"id": "GHSA-22w7-m5f8-87vh",
"modified": "2025-08-08T21:12:21Z",
"published": "2023-06-15T06:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35029"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.atlassian.net/browse/LPE-17403"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-35029?p_r_p_assetEntryId=121861874\u0026_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_redirect=https%3A%2F%2Fliferay.dev%3A443%2Fportal%2Fsecurity%2Fknown-vulnerabilities%3Fp_p_id%3Dcom_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt%26p_p_lifecycle%3D0%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_r_p_assetEntryId%3D121861874%26_com_liferay_asset_publisher_web_portlet_AssetPublisherPortlet_INSTANCE_jekt_cur%3D0%26p_r_p_resetCur%3Dfalse"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Liferay Portal and Liferay DXP Vulnerable to Open Redirect via the Layout Module"
}
GHSA-22WQ-Q86M-83FH
Vulnerability from github – Published: 2025-08-12 20:20 – Updated: 2025-08-12 20:20Problem
The sanitization logic at https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481 only searches for lower-case attribute names (e.g. xlink:href instead of xlink:HrEf), which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains.
Proof-of-concept
provided by azizk
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100">
<a xlink:hReF="javascript:alert(document.domain)">
<rect width="100" height="50" fill="red"></rect>
<text x="50" y="30" text-anchor="middle" fill="white">Click me</text>
</a>
</svg>
Credits
The mentioned findings and proof-of-concept example were reported to the TYPO3 Security Team by the external security researcher azizk <medazizknani@gmail.com>.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "enshrined/svg-sanitize"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.22.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-55166"
],
"database_specific": {
"cwe_ids": [
"CWE-601",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-12T20:20:58Z",
"nvd_published_at": "2025-08-12T17:15:39Z",
"severity": "MODERATE"
},
"details": "#### Problem\n\nThe sanitization logic at https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481 only searches for lower-case attribute names (e.g. `xlink:href` instead of `xlink:HrEf`), which allows to by-pass the `isHrefSafeValue` check. As a result this allows cross-site scripting or linking to external domains.\n\n#### Proof-of-concept\n_provided by azizk_\n\n```\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003csvg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" width=\"100\" height=\"100\"\u003e\n \u003ca xlink:hReF=\"javascript:alert(document.domain)\"\u003e\n \u003crect width=\"100\" height=\"50\" fill=\"red\"\u003e\u003c/rect\u003e\n \u003ctext x=\"50\" y=\"30\" text-anchor=\"middle\" fill=\"white\"\u003eClick me\u003c/text\u003e\n \u003c/a\u003e\n\u003c/svg\u003e\n```\n\n#### Credits\n\nThe mentioned findings and proof-of-concept example were reported to the TYPO3 Security Team by the external security researcher `azizk \u003cmedazizknani@gmail.com\u003e`.",
"id": "GHSA-22wq-q86m-83fh",
"modified": "2025-08-12T20:20:59Z",
"published": "2025-08-12T20:20:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/darylldoyle/svg-sanitizer/security/advisories/GHSA-22wq-q86m-83fh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55166"
},
{
"type": "WEB",
"url": "https://github.com/darylldoyle/svg-sanitizer/commit/0afa95ea74be155a7bcd6c6fb60c276c39984500"
},
{
"type": "WEB",
"url": "https://github.com/darylldoyle/svg-sanitizer/commit/5a0a1eaf0c6b0b540dc945fe30c93cf106b357c1"
},
{
"type": "PACKAGE",
"url": "https://github.com/darylldoyle/svg-sanitizer"
},
{
"type": "WEB",
"url": "https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481"
},
{
"type": "WEB",
"url": "https://github.com/darylldoyle/svg-sanitizer/releases/tag/0.22.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "svg-sanitizer Bypasses Attribute Sanitization"
}
GHSA-239C-9QHP-4XC9
Vulnerability from github – Published: 2025-07-07 18:32 – Updated: 2025-07-08 18:31An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via the bbs/member_confirm.php.
{
"affected": [],
"aliases": [
"CVE-2024-37658"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-07T18:15:25Z",
"severity": "MODERATE"
},
"details": "An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via the bbs/member_confirm.php.",
"id": "GHSA-239c-9qhp-4xc9",
"modified": "2025-07-08T18:31:22Z",
"published": "2025-07-07T18:32:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37658"
},
{
"type": "WEB",
"url": "https://github.com/gnuboard/gnuboard5/issues/319"
},
{
"type": "WEB",
"url": "https://sir.kr/g5_pds/7205"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-239M-CHP6-538F
Vulnerability from github – Published: 2022-05-14 01:45 – Updated: 2022-05-14 01:45An open redirect vulnerability exists in the Access Manager Identity Provider prior to 4.4 SP3.
{
"affected": [],
"aliases": [
"CVE-2018-17948"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-20T18:29:00Z",
"severity": "MODERATE"
},
"details": "An open redirect vulnerability exists in the Access Manager Identity Provider prior to 4.4 SP3.",
"id": "GHSA-239m-chp6-538f",
"modified": "2022-05-14T01:45:30Z",
"published": "2022-05-14T01:45:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17948"
},
{
"type": "WEB",
"url": "https://support.microfocus.com/kb/doc.php?id=7023530"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-23R7-3WVP-5358
Vulnerability from github – Published: 2023-12-27 00:30 – Updated: 2024-01-04 03:30An open redirect through HTML injection in user messages in Asp.Net Zero before 12.3.0 allows remote attackers to redirect targeted victims to any URL via the '<meta http-equiv="refresh"' in the WebSocket messages.
{
"affected": [],
"aliases": [
"CVE-2023-48003"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-26T22:15:13Z",
"severity": "MODERATE"
},
"details": "An open redirect through HTML injection in user messages in Asp.Net Zero before 12.3.0 allows remote attackers to redirect targeted victims to any URL via the \u0027\u003cmeta http-equiv=\"refresh\"\u0027 in the WebSocket messages.",
"id": "GHSA-23r7-3wvp-5358",
"modified": "2024-01-04T03:30:38Z",
"published": "2023-12-27T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48003"
},
{
"type": "WEB",
"url": "https://docs.unsafe-inline.com/0day/asp.net-zero-v12.3.0-html-injection-leads-to-open-redirect-via-websockets-cve-2023-48003"
},
{
"type": "WEB",
"url": "https://github.com/passtheticket/vulnerability-research/blob/main/aspnetzero_html_injection_via_websockets_messages.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-23W9-X4HX-5JV5
Vulnerability from github – Published: 2022-05-17 00:34 – Updated: 2022-05-17 00:34Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a (1) URL in the startat parameter to xda/help/en/default.htm or (2) /%09/ (slash encoded horizontal tab slash) followed by a domain in the redirectUrl parameter to xda/component/virtuallinkconnect.
{
"affected": [],
"aliases": [
"CVE-2017-14524"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-28T01:29:00Z",
"severity": "MODERATE"
},
"details": "Multiple open redirect vulnerabilities in OpenText Documentum Administrator 7.2.0180.0055 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a (1) URL in the startat parameter to xda/help/en/default.htm or (2) /%09/ (slash encoded horizontal tab slash) followed by a domain in the redirectUrl parameter to xda/component/virtuallinkconnect.",
"id": "GHSA-23w9-x4hx-5jv5",
"modified": "2022-05-17T00:34:47Z",
"published": "2022-05-17T00:34:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14524"
},
{
"type": "WEB",
"url": "https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2017/Sep/57"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2435-FWP9-9Q2M
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:42Open redirect vulnerability in Cybozu Garoon 4.2.4 to 4.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the Login Screen.
{
"affected": [],
"aliases": [
"CVE-2019-5946"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-17T16:29:00Z",
"severity": "MODERATE"
},
"details": "Open redirect vulnerability in Cybozu Garoon 4.2.4 to 4.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the Login Screen.",
"id": "GHSA-2435-fwp9-9q2m",
"modified": "2024-04-04T00:42:26Z",
"published": "2022-05-24T16:46:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5946"
},
{
"type": "WEB",
"url": "https://kb.cybozu.support/article/35492"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN58849431/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-243V-5PFF-QQFJ
Vulnerability from github – Published: 2022-07-26 00:00 – Updated: 2024-04-24 17:30An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.0"
},
{
"fixed": "4.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "3.11"
},
{
"fixed": "3.11.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "3.9"
},
{
"fixed": "3.9.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-35652"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-24T17:30:30Z",
"nvd_published_at": "2022-07-25T16:15:00Z",
"severity": "MODERATE"
},
"details": "An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, however, when clicked, it redirects the victims to arbitrary URL/domain. Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.",
"id": "GHSA-243v-5pff-qqfj",
"modified": "2024-04-24T17:30:30Z",
"published": "2022-07-26T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35652"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2106276"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MOKYVRNFNAODP2XSMGJ5CRDUZCZKAR3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTKUSFPSYFINSQFSOHDQIDVE6FWBEU6V"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=436459"
},
{
"type": "WEB",
"url": "http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-72171"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Moodle Open redirect risk in mobile auto-login feature"
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- Use a list of approved URLs or domains to be used for redirection.
Mitigation
Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
Mitigation MIT-21.2
Strategy: Enforcement by Conversion
- When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
- For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).
Mitigation MIT-6
Strategy: Attack Surface Reduction
- Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
- Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-178: Cross-Site Flashing
An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.