Common Weakness Enumeration

CWE-601

Allowed

URL Redirection to Untrusted Site ('Open Redirect')

Abstraction: Base · Status: Draft

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

2307 vulnerabilities reference this CWE, most recent first.

GHSA-FJFW-648M-HM95

Vulnerability from github – Published: 2023-12-04 15:31 – Updated: 2023-12-07 21:31
VLAI
Details

kkFileView v4.3.0 is vulnerable to Incorrect Access Control.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-48815"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-04T15:15:07Z",
    "severity": "MODERATE"
  },
  "details": "kkFileView v4.3.0 is vulnerable to Incorrect Access Control.",
  "id": "GHSA-fjfw-648m-hm95",
  "modified": "2023-12-07T21:31:10Z",
  "published": "2023-12-04T15:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48815"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kekingcn/kkFileView"
    },
    {
      "type": "WEB",
      "url": "https://github.com/varzhang/There-is-a-vulnerability-in-kkFileView/blob/main/README.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FJRM-89CV-J79Q

Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2023-02-17 21:30
VLAI
Details

Prior to commit 51867e0d15a6d7f80d5b714fd0e9976b9c160bb0, https://github.com/brave/adblock-lists removed redirect interceptors on some websites like Facebook in which the redirect interceptor may have been there for security purposes. This could potentially cause open redirects on these websites. Brave's redirect interceptor removal feature is known as "debouncing" and is intended to remove unnecessary redirects that track users across the web.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Prior to commit 51867e0d15a6d7f80d5b714fd0e9976b9c160bb0, https://github.com/brave/adblock-lists removed redirect interceptors on some websites like Facebook in which the redirect interceptor may have been there for security purposes. This could potentially cause open redirects on these websites. Brave\u0027s redirect interceptor removal feature is known as \"debouncing\" and is intended to remove unnecessary redirects that track users across the web.",
  "id": "GHSA-fjrm-89cv-j79q",
  "modified": "2023-02-17T21:30:41Z",
  "published": "2023-02-09T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22798"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1579374"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FM3J-3RRX-FRH2

Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2024-04-04 01:09
VLAI
Details

Read the Docs before 3.5.1 has an Open Redirect if certain user-defined redirects are used. This affects private instances of Read the Docs (in addition to the public readthedocs.org web sites).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-02T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Read the Docs before 3.5.1 has an Open Redirect if certain user-defined redirects are used. This affects private instances of Read the Docs (in addition to the public readthedocs.org web sites).",
  "id": "GHSA-fm3j-3rrx-frh2",
  "modified": "2024-04-04T01:09:03Z",
  "published": "2022-05-24T16:49:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/readthedocs/readthedocs.org/security/advisories/GHSA-2mw9-4c46-qrcv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13175"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FP4X-GGRF-WMC6

Vulnerability from github – Published: 2026-03-23 21:48 – Updated: 2026-03-23 21:48
VLAI
Summary
H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation
Details

Summary

The redirectBack() utility in h3 validates that the Referer header shares the same origin as the request before using its pathname as the redirect Location. However, the pathname is not sanitized for protocol-relative paths (starting with //). An attacker can craft a same-origin URL with a double-slash path segment that passes the origin check but produces a Location header interpreted by browsers as a protocol-relative redirect to an external domain.

Details

The vulnerable code is in src/utils/response.ts:89-97:

export function redirectBack(
  event: H3Event,
  opts: { fallback?: string; status?: number; allowQuery?: boolean } = {},
): HTTPResponse {
  const referer = event.req.headers.get("referer");
  let location = opts.fallback ?? "/";
  if (referer && URL.canParse(referer)) {
    const refererURL = new URL(referer);
    if (refererURL.origin === event.url.origin) {
      // BUG: pathname can be "//evil.com/path" which browsers interpret
      // as a protocol-relative URL
      location = refererURL.pathname + (opts.allowQuery ? refererURL.search : "");
    }
  }
  return redirect(location, opts.status);
}

The root cause is a discrepancy between how the WHATWG URL parser and browsers handle double-slash paths:

  1. new URL("http://target.com//evil.com/path").origin"http://target.com" — origin check passes
  2. new URL("http://target.com//evil.com/path").pathname"//evil.com/path" — extracted as redirect location
  3. Browser receives Location: //evil.com/path → interprets as protocol-relative URL → redirects to evil.com

Attack scenario: The attacker shares a link like http://target.com//evil.com/page. If the target application has catch-all routes (common in SPAs built with h3/Nitro), the app serves its page at that URL. When the user navigates to an endpoint calling redirectBack(), the browser sends Referer: http://target.com//evil.com/page. The origin check passes, and the user is redirected to evil.com, which can host a phishing page mimicking the target.

PoC

# 1. Create a minimal h3 app with redirectBack
cat > /tmp/h3-redirect-poc.ts << 'SCRIPT'
import { H3, redirectBack } from "h3";

const app = new H3();
app.post("/submit", (event) => redirectBack(event));

const res = await app.fetch(new Request("http://localhost/submit", {
  method: "POST",
  headers: { referer: "http://localhost//evil.com/steal" }
}));

console.log("Status:", res.status);
console.log("Location:", res.headers.get("location"));
// Expected: a same-origin path
// Actual: "//evil.com/steal" — protocol-relative redirect to evil.com
SCRIPT

# 2. Verify URL parsing behavior
node -e "
const u = new URL('http://localhost//evil.com/steal');
console.log('origin:', u.origin);         // http://localhost
console.log('pathname:', u.pathname);     // //evil.com/steal
console.log('origin matches localhost:', u.origin === 'http://localhost');  // true
"
# Output:
# origin: http://localhost
# pathname: //evil.com/steal
# origin matches localhost: true

Impact

An attacker can redirect users from a trusted application to an attacker-controlled domain. This enables:

  • Credential phishing: Redirect to a lookalike login page to harvest credentials
  • OAuth token theft: In OAuth flows using redirectBack(), steal authorization codes by redirecting to an attacker's callback
  • Trust exploitation: Users see the initial link points to the trusted domain, lowering suspicion

The vulnerability requires no authentication and affects any endpoint using redirectBack().

Recommended Fix

Sanitize the extracted pathname to prevent protocol-relative URLs. In src/utils/response.ts, after extracting the pathname from the referer:

export function redirectBack(
  event: H3Event,
  opts: { fallback?: string; status?: number; allowQuery?: boolean } = {},
): HTTPResponse {
  const referer = event.req.headers.get("referer");
  let location = opts.fallback ?? "/";
  if (referer && URL.canParse(referer)) {
    const refererURL = new URL(referer);
    if (refererURL.origin === event.url.origin) {
      let pathname = refererURL.pathname;
      // Prevent protocol-relative open redirect (e.g., "//evil.com")
      if (pathname.startsWith("//")) {
        pathname = "/" + pathname.replace(/^\/+/, "");
      }
      location = pathname + (opts.allowQuery ? refererURL.search : "");
    }
  }
  return redirect(location, opts.status);
}
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "h3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.1-rc.17"
            },
            {
              "fixed": "2.0.1-rc.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.0.1-rc.17"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-23T21:48:24Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `redirectBack()` utility in h3 validates that the `Referer` header shares the same origin as the request before using its pathname as the redirect `Location`. However, the pathname is not sanitized for protocol-relative paths (starting with `//`). An attacker can craft a same-origin URL with a double-slash path segment that passes the origin check but produces a `Location` header interpreted by browsers as a protocol-relative redirect to an external domain.\n\n## Details\n\nThe vulnerable code is in `src/utils/response.ts:89-97`:\n\n```typescript\nexport function redirectBack(\n  event: H3Event,\n  opts: { fallback?: string; status?: number; allowQuery?: boolean } = {},\n): HTTPResponse {\n  const referer = event.req.headers.get(\"referer\");\n  let location = opts.fallback ?? \"/\";\n  if (referer \u0026\u0026 URL.canParse(referer)) {\n    const refererURL = new URL(referer);\n    if (refererURL.origin === event.url.origin) {\n      // BUG: pathname can be \"//evil.com/path\" which browsers interpret\n      // as a protocol-relative URL\n      location = refererURL.pathname + (opts.allowQuery ? refererURL.search : \"\");\n    }\n  }\n  return redirect(location, opts.status);\n}\n```\n\nThe root cause is a discrepancy between how the WHATWG URL parser and browsers handle double-slash paths:\n\n1. `new URL(\"http://target.com//evil.com/path\").origin` \u2192 `\"http://target.com\"` \u2014 origin check **passes**\n2. `new URL(\"http://target.com//evil.com/path\").pathname` \u2192 `\"//evil.com/path\"` \u2014 extracted as redirect location\n3. Browser receives `Location: //evil.com/path` \u2192 interprets as protocol-relative URL \u2192 **redirects to `evil.com`**\n\n**Attack scenario:** The attacker shares a link like `http://target.com//evil.com/page`. If the target application has catch-all routes (common in SPAs built with h3/Nitro), the app serves its page at that URL. When the user navigates to an endpoint calling `redirectBack()`, the browser sends `Referer: http://target.com//evil.com/page`. The origin check passes, and the user is redirected to `evil.com`, which can host a phishing page mimicking the target.\n\n## PoC\n\n```bash\n# 1. Create a minimal h3 app with redirectBack\ncat \u003e /tmp/h3-redirect-poc.ts \u003c\u003c \u0027SCRIPT\u0027\nimport { H3, redirectBack } from \"h3\";\n\nconst app = new H3();\napp.post(\"/submit\", (event) =\u003e redirectBack(event));\n\nconst res = await app.fetch(new Request(\"http://localhost/submit\", {\n  method: \"POST\",\n  headers: { referer: \"http://localhost//evil.com/steal\" }\n}));\n\nconsole.log(\"Status:\", res.status);\nconsole.log(\"Location:\", res.headers.get(\"location\"));\n// Expected: a same-origin path\n// Actual: \"//evil.com/steal\" \u2014 protocol-relative redirect to evil.com\nSCRIPT\n\n# 2. Verify URL parsing behavior\nnode -e \"\nconst u = new URL(\u0027http://localhost//evil.com/steal\u0027);\nconsole.log(\u0027origin:\u0027, u.origin);         // http://localhost\nconsole.log(\u0027pathname:\u0027, u.pathname);     // //evil.com/steal\nconsole.log(\u0027origin matches localhost:\u0027, u.origin === \u0027http://localhost\u0027);  // true\n\"\n# Output:\n# origin: http://localhost\n# pathname: //evil.com/steal\n# origin matches localhost: true\n```\n\n## Impact\n\nAn attacker can redirect users from a trusted application to an attacker-controlled domain. This enables:\n\n- **Credential phishing**: Redirect to a lookalike login page to harvest credentials\n- **OAuth token theft**: In OAuth flows using `redirectBack()`, steal authorization codes by redirecting to an attacker\u0027s callback\n- **Trust exploitation**: Users see the initial link points to the trusted domain, lowering suspicion\n\nThe vulnerability requires no authentication and affects any endpoint using `redirectBack()`.\n\n## Recommended Fix\n\nSanitize the extracted pathname to prevent protocol-relative URLs. In `src/utils/response.ts`, after extracting the pathname from the referer:\n\n```typescript\nexport function redirectBack(\n  event: H3Event,\n  opts: { fallback?: string; status?: number; allowQuery?: boolean } = {},\n): HTTPResponse {\n  const referer = event.req.headers.get(\"referer\");\n  let location = opts.fallback ?? \"/\";\n  if (referer \u0026\u0026 URL.canParse(referer)) {\n    const refererURL = new URL(referer);\n    if (refererURL.origin === event.url.origin) {\n      let pathname = refererURL.pathname;\n      // Prevent protocol-relative open redirect (e.g., \"//evil.com\")\n      if (pathname.startsWith(\"//\")) {\n        pathname = \"/\" + pathname.replace(/^\\/+/, \"\");\n      }\n      location = pathname + (opts.allowQuery ? refererURL.search : \"\");\n    }\n  }\n  return redirect(location, opts.status);\n}\n```",
  "id": "GHSA-fp4x-ggrf-wmc6",
  "modified": "2026-03-23T21:48:24Z",
  "published": "2026-03-23T21:48:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/h3js/h3/security/advisories/GHSA-fp4x-ggrf-wmc6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/h3js/h3/commit/459a1c6593365b0810e9c502df7c3e82837321d7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/h3js/h3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation"
}

GHSA-FP5R-V55Q-WGX7

Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45
VLAI
Details

The appstore before 8.12.0.0 exposes some of its components, and the attacker can cause remote download and install apps through carefully constructed parameters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-12483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-23T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The appstore before 8.12.0.0 exposes some of its components, and the attacker can cause remote download and install apps through carefully constructed parameters.",
  "id": "GHSA-fp5r-v55q-wgx7",
  "modified": "2022-05-24T17:45:04Z",
  "published": "2022-05-24T17:45:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12483"
    },
    {
      "type": "WEB",
      "url": "https://www.vivo.com/en/support/security-advisory-detail?id=1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FPGV-9V95-HRGV

Vulnerability from github – Published: 2021-12-09 00:01 – Updated: 2021-12-10 00:01
VLAI
Details

A url redirection to untrusted site ('open redirect') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlers

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-36191"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-08T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A url redirection to untrusted site (\u0027open redirect\u0027) in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to use the device as proxy via crafted GET parameters in requests to error handlers",
  "id": "GHSA-fpgv-9v95-hrgv",
  "modified": "2021-12-10T00:01:02Z",
  "published": "2021-12-09T00:01:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36191"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-21-133"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FPQR-6JCH-4XHQ

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09
VLAI
Details

Dell EMC Avamar Server contains an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-5329"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-29T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Dell EMC Avamar Server contains an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links.",
  "id": "GHSA-fpqr-6jch-4xhq",
  "modified": "2022-05-24T19:09:18Z",
  "published": "2022-05-24T19:09:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5329"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/security/en-us/details/541529/DSA-2020-046-Dell-EMC-Avamar-Server-Open-Redirect-Vulnerability"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-FPR3-J2R5-95C5

Vulnerability from github – Published: 2024-06-13 06:30 – Updated: 2024-07-02 21:32
VLAI
Details

Themify Builder WordPress plugin before 7.5.8 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3032"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-13T06:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Themify Builder WordPress plugin before 7.5.8 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue",
  "id": "GHSA-fpr3-j2r5-95c5",
  "modified": "2024-07-02T21:32:04Z",
  "published": "2024-06-13T06:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3032"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/d130a60c-c36b-4994-9b0e-e52cd7f99387"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ4W-55P7-P77C

Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-19 21:30
VLAI
Details

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in KaizenCoders Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress update-urls allows Phishing.This issue affects Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress: from n/a through <= 1.4.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25392"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-19T09:16:21Z",
    "severity": "MODERATE"
  },
  "details": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in KaizenCoders Update URLs \u0026#8211; Quick and Easy way to search old links and replace them with new links in WordPress update-urls allows Phishing.This issue affects Update URLs \u0026#8211; Quick and Easy way to search old links and replace them with new links in WordPress: from n/a through \u003c= 1.4.0.",
  "id": "GHSA-fq4w-55p7-p77c",
  "modified": "2026-02-19T21:30:45Z",
  "published": "2026-02-19T18:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25392"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/update-urls/vulnerability/wordpress-update-urls-quick-and-easy-way-to-search-old-links-and-replace-them-with-new-links-in-wordpress-plugin-1-3-0-open-redirection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FQ53-5RCC-2CJ7

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:30
VLAI
Details

A user having access to the UI of a Revive Adserver instance could be tricked into clicking on a specifically crafted admin account-switch.php URL that would eventually lead them to another (unsafe) domain, potentially used for stealing credentials or other phishing attacks. This vulnerability was addressed in version 4.2.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5433"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-06T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A user having access to the UI of a Revive Adserver instance could be tricked into clicking on a specifically crafted admin account-switch.php URL that would eventually lead them to another (unsafe) domain, potentially used for stealing credentials or other phishing attacks. This vulnerability was addressed in version 4.2.0.",
  "id": "GHSA-fq53-5rcc-2cj7",
  "modified": "2024-04-04T00:30:41Z",
  "published": "2022-05-24T16:45:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5433"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/390663"
    },
    {
      "type": "WEB",
      "url": "https://www.revive-adserver.com/security/revive-sa-2019-001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • Use a list of approved URLs or domains to be used for redirection.
Mitigation
Architecture and Design

Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.

Mitigation MIT-21.2
Architecture and Design

Strategy: Enforcement by Conversion

  • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
  • For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Architecture and Design

Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).

Mitigation MIT-6
Architecture and Design Implementation

Strategy: Attack Surface Reduction

  • Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
  • Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-178: Cross-Site Flashing

An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.