Common Weakness Enumeration

CWE-601

Allowed

URL Redirection to Untrusted Site ('Open Redirect')

Abstraction: Base · Status: Draft

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

2305 vulnerabilities reference this CWE, most recent first.

GHSA-7PWC-WH6M-44Q3

Vulnerability from github – Published: 2025-08-27 16:46 – Updated: 2025-08-29 15:22
VLAI
Summary
Google Sign-In for Rails allowed redirects to malformed URLs
Details

Summary

It is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin.

Details

The google_sign_in gem persists an optional URL for redirection after authentication. If this URL is malformed, it's possible for the user to be redirected to another origin after authentication, possibly resulting in exposure of authentication information such as the token.

Normally the value of this URL is only written and read by the library. If applications are configured to store session information in a database, there is no known vector to exploit this vulnerability. However, applications may be configured to store this information in a session cookie, in which case it may be chained with a session cookie attack to inject a crafted URL.

Impact

Rails applications configured to store the flash information in a session cookie may be vulnerable, if this can be chained with an attack that allows injection of arbitrary data into the session cookie.

Workarounds

If you are unable to upgrade this library, then you may mitigate the chained attack by explicitly setting SameSite=Lax or SameSite=Strict on the application session cookie.

Credits

This issue was responsibly reported by Hackerone user muntrive.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "google_sign_in"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-27T16:46:16Z",
    "nvd_published_at": "2025-08-27T17:15:48Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nIt is possible to craft a malformed URL that passes the \"same origin\" check, resulting in the user being redirected to another origin.\n\n### Details\n\nThe google_sign_in gem persists an optional URL for redirection after authentication. If this URL is malformed, it\u0027s possible for the user to be redirected to another origin after authentication, possibly resulting in exposure of authentication information such as the token.\n\nNormally the value of this URL is only written and read by the library. If applications are configured to store session information in a database, there is no known vector to exploit this vulnerability. However, applications may be configured to store this information in a session cookie, in which case it may be chained with a session cookie attack to inject a crafted URL.\n\n### Impact\n\nRails applications configured to store the `flash` information in a session cookie may be vulnerable, if this can be chained with an attack that allows injection of arbitrary data into the session cookie.\n\n### Workarounds\n\nIf you are unable to upgrade this library, then you may mitigate the chained attack by explicitly setting `SameSite=Lax` or `SameSite=Strict` on the application session cookie.\n\n### Credits\n\nThis issue was responsibly reported by Hackerone user [muntrive](https://hackerone.com/muntrive?type=user).",
  "id": "GHSA-7pwc-wh6m-44q3",
  "modified": "2025-08-29T15:22:58Z",
  "published": "2025-08-27T16:46:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/basecamp/google_sign_in/security/advisories/GHSA-7pwc-wh6m-44q3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57821"
    },
    {
      "type": "WEB",
      "url": "https://github.com/basecamp/google_sign_in/pull/73"
    },
    {
      "type": "WEB",
      "url": "https://github.com/basecamp/google_sign_in/commit/85903651201257d4f14b97d4582e6d968ac32f15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/basecamp/google_sign_in/commit/a0548a604fb17e4eb1a57029f0d87e34e8499623"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/basecamp/google_sign_in"
    },
    {
      "type": "WEB",
      "url": "https://github.com/basecamp/google_sign_in/releases/tag/v1.3.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google_sign_in/CVE-2025-57821.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Google Sign-In for Rails allowed redirects to malformed URLs"
}

GHSA-7Q3R-QJRG-8GRJ

Vulnerability from github – Published: 2025-12-30 09:30 – Updated: 2025-12-30 09:30
VLAI
Details

A security vulnerability has been detected in CloudPanel Community Edition up to 2.5.1. The affected element is an unknown function of the file /admin/users of the component HTTP Header Handler. Such manipulation of the argument Referer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.5.2 is sufficient to fix this issue. Upgrading the affected component is recommended.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15241"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T09:15:52Z",
    "severity": "MODERATE"
  },
  "details": "A security vulnerability has been detected in CloudPanel Community Edition up to 2.5.1. The affected element is an unknown function of the file /admin/users of the component HTTP Header Handler. Such manipulation of the argument Referer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.5.2 is sufficient to fix this issue. Upgrading the affected component is recommended.",
  "id": "GHSA-7q3r-qjrg-8grj",
  "modified": "2025-12-30T09:30:21Z",
  "published": "2025-12-30T09:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15241"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Stolichnayer/cloudpanel-open-redirect"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Stolichnayer/cloudpanel-open-redirect?tab=readme-ov-file#%EF%B8%8F-steps-to-reproduce"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cloudpanel-io/cloudpanel-ce/releases/tag/v2.5.2"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.338631"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.338631"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.725543"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7Q8V-785J-JC5W

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04
VLAI
Details

A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to redirect users to a malicious file. This vulnerability is due to improper validation of URL paths in the application interface. An attacker could exploit this vulnerability by persuading a user to follow a specially crafted URL that is designed to cause Cisco Webex Meetings to include a remote file in the web UI. A successful exploit could allow the attacker to cause the application to offer a remote file to a user, which could allow the attacker to conduct further phishing or spoofing attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1525"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-04T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to redirect users to a malicious file. This vulnerability is due to improper validation of URL paths in the application interface. An attacker could exploit this vulnerability by persuading a user to follow a specially crafted URL that is designed to cause Cisco Webex Meetings to include a remote file in the web UI. A successful exploit could allow the attacker to cause the application to offer a remote file to a user, which could allow the attacker to conduct further phishing or spoofing attacks.",
  "id": "GHSA-7q8v-785j-jc5w",
  "modified": "2022-05-24T19:04:05Z",
  "published": "2022-05-24T19:04:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1525"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-redirect-XuZFU3PH"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7Q9G-RF94-V7CW

Vulnerability from github – Published: 2024-08-18 00:30 – Updated: 2024-08-18 00:30
VLAI
Details

A vulnerability was found in pkp ojs up to 3.4.0-6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login/signOut. The manipulation of the argument source with the input .example.com leads to open redirect. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7902"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-17T22:15:04Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in pkp ojs up to 3.4.0-6 and classified as problematic. Affected by this issue is some unknown functionality of the file /login/signOut. The manipulation of the argument source with the input .example.com leads to open redirect. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-7q9g-rf94-v7cw",
  "modified": "2024-08-18T00:30:32Z",
  "published": "2024-08-18T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7902"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.274910"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.274910"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.388216"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7QX6-F23W-3W7F

Vulnerability from github – Published: 2026-04-14 22:53 – Updated: 2026-04-14 22:53
VLAI
Summary
Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint
Details

Summary

The GET /?redirect endpoint in goshs v2.0.0-beta.6 performs an HTTP redirect to any attacker-supplied url= value and writes any attacker-supplied header=Name: Value pair into the response, without scheme/host validation, without a header-name allow-list, without authentication in the default deployment, and without the checkCSRF() guard that GHSA-jrq5-hg6x-j6g3 added to the other state-changing GET routes (?mkdir, ?delete). The same dispatcher also lacks an fs.Invisible branch, so the endpoint stays responsive in -I stealth mode and reliably fingerprints an "invisible" goshs deployment with a single request.

Details

httpserver/handler.go:222-228 — the dispatcher gates ?redirect only with denyForTokenAccess (which only blocks share-token callers). It does not check fs.Invisible and does not call checkCSRF:

if _, ok := req.URL.Query()["redirect"]; ok {
    if denyForTokenAccess(w, req) {
        return true
    }
    fs.handleRedirect(w, req)
    return true
}

httpserver/handler.go:753-787handleRedirect:

func (fs *FileServer) handleRedirect(w http.ResponseWriter, req *http.Request) {
    q := req.URL.Query()

    target := q.Get("url")                                   // (1) no scheme/host validation
    if target == "" { /* 400 */ }

    status := http.StatusFound
    if s := q.Get("status"); s != "" {                        // (2) only constrained to 3xx
        code, err := strconv.Atoi(s)
        if err != nil || code < 300 || code > 399 { /* 400 */ }
        status = code
    }

    for _, h := range q["header"] {                          // (3) arbitrary header set
        parts := strings.SplitN(h, ": ", 2)
        if len(parts) != 2 || strings.TrimSpace(parts[0]) == "" { /* 400 */ }
        w.Header().Set(strings.TrimSpace(parts[0]), parts[1])
    }

    http.Redirect(w, req, target, status)                    // (4) attacker Location

    body := fs.emitCollabEvent(req, status)
    logger.LogRequest(req, status, fs.Verbose, fs.Webhook, body)
}

httpserver/server.go:85-100BasicAuthMiddleware is registered only when fs.User != "" || fs.Pass != ""; the default goshs invocation has neither, so ?redirect is open to anyone on the network.Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

PoC

poc.zip Please extract the uploaded compressed file before proceeding

  1. docker build -t goshs-poc .
  2. sh poc.sh

스크린샷 2026-04-13 오후 8 04 20

Impact

  • Cross-subdomain session fixation — Set-Cookie: …; Domain=.corp.com lands a fixed session on every sibling app on the parent domain.
  • TLS downgrade — Strict-Transport-Security: max-age=0 invalidates prior HSTS state for the origin, enabling MITM on subsequent visits.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/patrickhener/goshs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/patrickhener/goshs/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.0-beta.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T22:53:33Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\nThe `GET /?redirect` endpoint in `goshs` v2.0.0-beta.6 performs an HTTP redirect to any attacker-supplied `url=` value and writes any attacker-supplied `header=Name: Value` pair into the response, without scheme/host validation, without a header-name allow-list, without authentication in the default deployment, and without the `checkCSRF()` guard that GHSA-jrq5-hg6x-j6g3 added to the other state-changing GET routes (`?mkdir`, `?delete`). The same dispatcher also lacks an `fs.Invisible` branch, so the endpoint stays responsive in `-I` stealth mode and reliably fingerprints an \"invisible\" goshs deployment with a single request.\n\n\n### Details\n`httpserver/handler.go:222-228` \u2014 the dispatcher gates `?redirect` only with `denyForTokenAccess` (which only blocks share-token callers). It does not check `fs.Invisible` and does not call `checkCSRF`:\n\n```go\nif _, ok := req.URL.Query()[\"redirect\"]; ok {\n    if denyForTokenAccess(w, req) {\n        return true\n    }\n    fs.handleRedirect(w, req)\n    return true\n}\n```\n\n`httpserver/handler.go:753-787` \u2014 `handleRedirect`:\n\n```go\nfunc (fs *FileServer) handleRedirect(w http.ResponseWriter, req *http.Request) {\n    q := req.URL.Query()\n\n    target := q.Get(\"url\")                                   // (1) no scheme/host validation\n    if target == \"\" { /* 400 */ }\n\n    status := http.StatusFound\n    if s := q.Get(\"status\"); s != \"\" {                        // (2) only constrained to 3xx\n        code, err := strconv.Atoi(s)\n        if err != nil || code \u003c 300 || code \u003e 399 { /* 400 */ }\n        status = code\n    }\n\n    for _, h := range q[\"header\"] {                          // (3) arbitrary header set\n        parts := strings.SplitN(h, \": \", 2)\n        if len(parts) != 2 || strings.TrimSpace(parts[0]) == \"\" { /* 400 */ }\n        w.Header().Set(strings.TrimSpace(parts[0]), parts[1])\n    }\n\n    http.Redirect(w, req, target, status)                    // (4) attacker Location\n\n    body := fs.emitCollabEvent(req, status)\n    logger.LogRequest(req, status, fs.Verbose, fs.Webhook, body)\n}\n```\n\n`httpserver/server.go:85-100` \u2014 `BasicAuthMiddleware` is registered only when `fs.User != \"\" || fs.Pass != \"\"`; the default `goshs` invocation has neither, so `?redirect` is open to anyone on the network._Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\n### PoC\n[poc.zip](https://github.com/user-attachments/files/26673401/poc.zip)\nPlease extract the uploaded compressed file before proceeding\n\n1. docker build -t goshs-poc .\n2. sh poc.sh\n\n\u003cimg width=\"1379\" height=\"197\" alt=\"\u1109\u1173\u110f\u1173\u1105\u1175\u11ab\u1109\u1163\u11ba 2026-04-13 \u110b\u1169\u1112\u116e 8 04 20\" src=\"https://github.com/user-attachments/assets/a557846f-47c7-4640-9fc5-34aa099d1a57\" /\u003e\n\n\n### Impact\n- Cross-subdomain session fixation \u2014 `Set-Cookie: \u2026; Domain=.corp.com` lands a fixed session on every sibling app on the parent domain.\n- TLS downgrade \u2014 `Strict-Transport-Security: max-age=0` invalidates prior HSTS state for the origin, enabling MITM on subsequent visits.",
  "id": "GHSA-7qx6-f23w-3w7f",
  "modified": "2026-04-14T22:53:34Z",
  "published": "2026-04-14T22:53:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-7qx6-f23w-3w7f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/patrickhener/goshs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unauthenticated Open Redirect, Arbitrary HTTP Response Header Injection, Missing CSRF, and Invisible-Mode Bypass in goshs `/?redirect` endpoint"
}

GHSA-7R93-VP6C-CW5M

Vulnerability from github – Published: 2026-06-19 00:31 – Updated: 2026-06-19 00:31
VLAI
Details

Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next= -- a link typically delivered by phishing -- would be sent to an attacker-controlled host directly out of the trusted auth flow.

The defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim's database, but the redirect launders the attacker's destination through pgAdmin's URL, which raises the success rate of credential-phishing follow-on against the victim.

Fix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied 'next' values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC.

This issue affects pgAdmin 4: from 6.0 before 9.16.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-19T00:16:47Z",
    "severity": "MODERATE"
  },
  "details": "Open redirect in pgAdmin 4\u0027s multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied \u0027next\u0027 query/form parameter without confirming the target pointed back inside pgAdmin, so an authenticated victim who clicked /mfa/validate?next=\u003cexternal\u003e -- a link typically delivered by phishing -- would be sent to an attacker-controlled host directly out of the trusted auth flow.\n\nThe defect is a trusted-domain redirect, not a privilege bypass: the attacker gains no read/write access to pgAdmin or the victim\u0027s database, but the redirect launders the attacker\u0027s destination through pgAdmin\u0027s URL, which raises the success rate of credential-phishing follow-on against the victim.\n\nFix introduces a same-origin _is_safe_redirect_url helper and gates every MFA redirect that consumes user-supplied \u0027next\u0027 values through it. The helper allows only relative paths and absolute URLs whose scheme is http(s) and whose host matches the current request host; it rejects external hosts in absolute and protocol-relative form, non-http schemes (javascript:, data:, mailto:), userinfo tricks (http://localhost@attacker/), and backslash variants that some browsers normalize to forward slashes. Unsafe targets fall back to the internal browser index. A dedicated regression test exercises each accept/reject category and the original reporter PoC.\n\nThis issue affects pgAdmin 4: from 6.0 before 9.16.",
  "id": "GHSA-7r93-vp6c-cw5m",
  "modified": "2026-06-19T00:31:38Z",
  "published": "2026-06-19T00:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12049"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pgadmin-org/pgadmin4/issues/10028"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pgadmin-org/pgadmin4/commit/fff6a481854b07822c2b54e8181e6a9076d204cd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7V2W-H4GH-W5CV

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 21:22
VLAI
Summary
Gradio Vulnerable to Open Redirect
Details

An open redirect vulnerability exists in the latest version of gradio-app/gradio. The vulnerability allows an attacker to redirect users to a malicious website by URL encoding. This can be exploited by sending a crafted request to the application, which results in a 302 redirect to an attacker-controlled site.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.37.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-8021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T21:22:13Z",
    "nvd_published_at": "2025-03-20T10:15:39Z",
    "severity": "MODERATE"
  },
  "details": "An open redirect vulnerability exists in the latest version of gradio-app/gradio. The vulnerability allows an attacker to redirect users to a malicious website by URL encoding. This can be exploited by sending a crafted request to the application, which results in a 302 redirect to an attacker-controlled site.",
  "id": "GHSA-7v2w-h4gh-w5cv",
  "modified": "2025-03-21T21:22:13Z",
  "published": "2025-03-20T12:32:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8021"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gradio-app/gradio"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/adc23067-ec04-47ef-9265-afd452071888"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gradio Vulnerable to Open Redirect"
}

GHSA-7W6J-444C-WPVQ

Vulnerability from github – Published: 2022-05-14 02:20 – Updated: 2022-05-14 02:20
VLAI
Details

A security vulnerability in HPE IceWall SSO Dfw 10.0 and 11.0 on RHEL, HP-UX, and Windows could be exploited remotely to allow URL Redirection.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-06T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A security vulnerability in HPE IceWall SSO Dfw 10.0 and 11.0 on RHEL, HP-UX, and Windows could be exploited remotely to allow URL Redirection.",
  "id": "GHSA-7w6j-444c-wpvq",
  "modified": "2022-05-14T02:20:42Z",
  "published": "2022-05-14T02:20:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8989"
    },
    {
      "type": "WEB",
      "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbmu03833en_us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WMP-QGHR-8G7F

Vulnerability from github – Published: 2023-06-19 12:30 – Updated: 2024-01-07 12:30
VLAI
Details

When choosing a site-isolated process for a document loaded from a data: URL that was the result of a redirect, Firefox would load that document in the same process as the site that issued the redirect. This bypassed the site-isolation protections against Spectre-like attacks on sites that host an "open redirect". Firefox no longer follows HTTP redirects to data: URLs. This vulnerability affects Firefox < 114.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34415"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-19T11:15:10Z",
    "severity": "MODERATE"
  },
  "details": "When choosing a site-isolated process for a document loaded from a data: URL that was the result of a redirect, Firefox would load that document in the same process as the site that issued the redirect. This bypassed the site-isolation protections against Spectre-like attacks on sites that host an \"open redirect\". Firefox no longer follows HTTP redirects to data: URLs. This vulnerability affects Firefox \u003c 114.",
  "id": "GHSA-7wmp-qghr-8g7f",
  "modified": "2024-01-07T12:30:29Z",
  "published": "2023-06-19T12:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34415"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1811999"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-10"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2023-20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7WXF-R2QV-9XWR

Vulnerability from github – Published: 2024-02-29 22:14 – Updated: 2024-03-21 18:25
VLAI
Summary
Docassemble open redirect
Details

Impact

It is possible to create a URL that acts as an open redirect.

Patches

The vulnerability has been patched in version 1.4.97 of the master branch. The Docker image on docker.io has been patched.

Workarounds

If upgrading is not possible, manually apply the changes of 4801ac7 and restart the server (e.g., by pressing Save on the Configuration screen).

Credit

The vulnerability was discovered by Riyush Ghimire (@richighimi).

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "docassemble.webapp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.97"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-29T22:14:47Z",
    "nvd_published_at": "2024-03-21T02:52:19Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIt is possible to create a URL that acts as an open redirect.\n\n### Patches\nThe vulnerability has been patched in version 1.4.97 of the master branch. The Docker image on docker.io has been patched.\n\n### Workarounds\nIf upgrading is not possible, manually apply the changes of [4801ac7](https://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aa) and restart the server (e.g., by pressing Save on the Configuration screen).\n\n### Credit\n\nThe vulnerability was discovered by Riyush Ghimire (@richighimi).\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [docassemble](https://github.com/jhpyle/docassemble/issues)\n* Join the [Slack channel](https://join.slack.com/t/docassemble/shared_invite/zt-2cspzjo9j-YyE7SrLmi5muAvnPv~Bz~A)\n* Email us at jhpyle@gmail.com",
  "id": "GHSA-7wxf-r2qv-9xwr",
  "modified": "2024-03-21T18:25:19Z",
  "published": "2024-02-29T22:14:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jhpyle/docassemble/security/advisories/GHSA-7wxf-r2qv-9xwr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27291"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jhpyle/docassemble"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Docassemble open redirect"
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • Use a list of approved URLs or domains to be used for redirection.
Mitigation
Architecture and Design

Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.

Mitigation MIT-21.2
Architecture and Design

Strategy: Enforcement by Conversion

  • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
  • For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Architecture and Design

Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).

Mitigation MIT-6
Architecture and Design Implementation

Strategy: Attack Surface Reduction

  • Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
  • Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-178: Cross-Site Flashing

An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.