Common Weakness Enumeration

CWE-601

Allowed

URL Redirection to Untrusted Site ('Open Redirect')

Abstraction: Base · Status: Draft

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

2307 vulnerabilities reference this CWE, most recent first.

GHSA-G867-7563-WVHV

Vulnerability from github – Published: 2025-06-15 15:30 – Updated: 2025-06-15 15:30
VLAI
Details

A vulnerability has been found in Astun Technology iShare Maps 5.4.0 and classified as problematic. This vulnerability affects unknown code of the file atCheckJS.aspx. The manipulation of the argument ref leads to open redirect. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-15T13:15:33Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in Astun Technology iShare Maps 5.4.0 and classified as problematic. This vulnerability affects unknown code of the file atCheckJS.aspx. The manipulation of the argument ref leads to open redirect. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-g867-7563-wvhv",
  "modified": "2025-06-15T15:30:30Z",
  "published": "2025-06-15T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6089"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.312556"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.312556"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.587876"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G897-JVJX-78VG

Vulnerability from github – Published: 2026-01-08 12:30 – Updated: 2026-01-09 21:31
VLAI
Details

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14524"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-08T10:15:46Z",
    "severity": "MODERATE"
  },
  "details": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a cross-protocol redirect to a second URL that uses an IMAP, LDAP,\nPOP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new\ntarget host.",
  "id": "GHSA-g897-jvjx-78vg",
  "modified": "2026-01-09T21:31:34Z",
  "published": "2026-01-08T12:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14524"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3459417"
    },
    {
      "type": "WEB",
      "url": "https://curl.se/docs/CVE-2025-14524.html"
    },
    {
      "type": "WEB",
      "url": "https://curl.se/docs/CVE-2025-14524.json"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/01/07/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G898-GRJX-8JM3

Vulnerability from github – Published: 2026-06-23 00:30 – Updated: 2026-06-23 00:30
VLAI
Details

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect users to attacker-controlled hosts, enabling phishing and OAuth authorization-code theft.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-56697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-22T22:16:52Z",
    "severity": "MODERATE"
  },
  "details": "Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-protocol check but resolve to a cross-origin URL against the current page protocol. Attackers can inject paths like //evil.com to redirect users to attacker-controlled hosts, enabling phishing and OAuth authorization-code theft.",
  "id": "GHSA-g898-grjx-8jm3",
  "modified": "2026-06-23T00:30:29Z",
  "published": "2026-06-23T00:30:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/security/advisories/GHSA-c9cv-mq2m-ppp3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56697"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/commit/6497d99dd106254abd089f6a263d7773869a343b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nuxt/nuxt/commit/e447a793c47766834f7497f8412a76cd56fd8ee1"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/nuxt-open-redirect-via-protocol-relative-paths-in-reloadnuxtapp"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G8MR-FGFG-5QPC

Vulnerability from github – Published: 2025-10-21 15:09 – Updated: 2026-01-21 16:15
VLAI
Summary
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
Details

Summary:

A bypass was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications.

This vulnerability affects the code referenced in GitHub Advisory GHSA-jgmv-j7ww-jx2x (which is tracked as CVE‑2025‑54420).

Details:

The patched code attempts to treat values that startWith('/') as safe relative paths and only perform origin checks for absolute URLs. However, protocol‑relative URLs (those beginning with //host) also start with '/' and therefore match the startsWith('/') branch. A protocol‑relative referrer such as //evil.com with trailing double-slash is treated by the implementation as a safe relative path, but browsers interpret Location: //evil.com as a redirect to https://evil.com (or http:// based on context). This discrepancy allows an attacker to supply Referer: //evil.com and trigger an external redirect - bypassing the intended same‑origin protection.

Proof of concept (PoC):

Affected line of code: https://github.com/koajs/koa/blob/master/lib/response.js#L326 The problematic logic looks like:

3

Request with a protocol‑relative Referer: curl -i -H "Referer: //haymiz.dev" http://127.0.0.1:3000/test

1

Vulnerable response will contain: HTTP/1.1 302 Found Location: //haymiz.dev

A browser receiving that Location header navigates to https://haymiz.dev (or http:// depending on context), resulting in an open redirect to an attacker‑controlled host:

2

Recommendation / Patch:

  • Do not treat //host as a safe relative path. Explicitly exclude protocol‑relative values from any relative‑path branch.
  • Normalize the Referer by resolving it with a base (e.g., new URL(rawRef, ctx.href)), then compare resolved.origin (scheme+host+port) to ctx.origin (or ctx.host plus scheme/port) before allowing the redirect.

Impact:

An attacker who can cause a victim to visit a specially crafted link (or inject a request with a controlled Referer) can cause the victim to be redirected to an attacker‑controlled domain. This can be used for phishing, social engineering, or to bypass some protection rules that rely on same‑origin navigation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "koa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.1"
            },
            {
              "fixed": "3.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "koa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.16.2"
            },
            {
              "fixed": "2.16.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62595"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-21T15:09:06Z",
    "nvd_published_at": "2025-10-21T17:15:40Z",
    "severity": "MODERATE"
  },
  "details": "### Summary:\n\nA bypass was discovered in the `Koa.js` framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user\u2019s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications.\n\nThis vulnerability affects the code referenced in GitHub Advisory GHSA-jgmv-j7ww-jx2x (which is tracked as CVE\u20112025\u201154420). \n\n### Details:\nThe patched code attempts to treat values that `startWith(\u0027/\u0027)` as safe relative paths and only perform origin checks for absolute URLs. However, protocol\u2011relative URLs (those beginning with //host) also start with \u0027/\u0027 and therefore match the startsWith(\u0027/\u0027) branch. A protocol\u2011relative referrer such as `//evil.com` with trailing double-slash is treated by the implementation as a safe relative path, but browsers interpret Location: //evil.com as a redirect to https://evil.com (or http:// based on context).\nThis discrepancy allows an attacker to supply Referer: //evil.com and trigger an external redirect - bypassing the intended same\u2011origin protection.\n\n### Proof of concept (PoC):\nAffected line of code: https://github.com/koajs/koa/blob/master/lib/response.js#L326\nThe problematic logic looks like:\n\n\u003cimg width=\"567\" height=\"509\" alt=\"3\" src=\"https://github.com/user-attachments/assets/33de440a-8945-4e5f-9e0a-2011a3999458\" /\u003e\n\nRequest with a protocol\u2011relative Referer:\ncurl -i -H \"Referer: //haymiz.dev\" http://127.0.0.1:3000/test\n\n\u003cimg width=\"2072\" height=\"1005\" alt=\"1\" src=\"https://github.com/user-attachments/assets/55c48c79-559d-46aa-8b76-c1d2d3536c8b\" /\u003e\n\nVulnerable response will contain:\nHTTP/1.1 302 Found\nLocation: //haymiz.dev\n\nA browser receiving that Location header navigates to https://haymiz.dev (or http:// depending on context), resulting in an open redirect to an attacker\u2011controlled host:\n\n\u003cimg width=\"454\" height=\"239\" alt=\"2\" src=\"https://github.com/user-attachments/assets/852ae81a-9f63-49c1-9ce5-72cd96bcea68\" /\u003e\n\n### Recommendation / Patch:\n* Do not treat //host as a safe relative path. Explicitly exclude protocol\u2011relative values from any relative\u2011path branch.\n* Normalize the Referer by resolving it with a base (e.g., new URL(rawRef, ctx.href)), then compare resolved.origin (scheme+host+port) to ctx.origin (or ctx.host plus scheme/port) before allowing the redirect.\n\n### Impact:\nAn attacker who can cause a victim to visit a specially crafted link (or inject a request with a controlled Referer) can cause the victim to be redirected to an attacker\u2011controlled domain. This can be used for phishing, social engineering, or to bypass some protection rules that rely on same\u2011origin navigation.",
  "id": "GHSA-g8mr-fgfg-5qpc",
  "modified": "2026-01-21T16:15:45Z",
  "published": "2025-10-21T15:09:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/koajs/koa/security/advisories/GHSA-g8mr-fgfg-5qpc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62595"
    },
    {
      "type": "WEB",
      "url": "https://github.com/koajs/koa/commit/769fd75cc6b30d72493b370b5a3ae2332ca03c5b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/koajs/koa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic"
}

GHSA-G8VH-644M-955P

Vulnerability from github – Published: 2022-05-17 00:29 – Updated: 2022-05-17 00:29
VLAI
Details

Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-6961"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-18T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout.",
  "id": "GHSA-g8vh-644m-955p",
  "modified": "2022-05-17T00:29:22Z",
  "published": "2022-05-17T00:29:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6961"
    },
    {
      "type": "WEB",
      "url": "https://github.com/web2py/web2py/issues/731"
    },
    {
      "type": "WEB",
      "url": "https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G8WR-5FX9-G2GV

Vulnerability from github – Published: 2022-05-14 01:48 – Updated: 2022-05-14 01:48
VLAI
Details

An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The login function of the portal is vulnerable to insecure redirection (also called an open redirect). The in_hi_redirect parameter is not validated by the application after a successful login. NOTE: this CVE is assigned by MITRE and isn't validated by Oracle because Oracle WebCenter Interaction Portal is out of support.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-16954"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-18T02:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The login function of the portal is vulnerable to insecure redirection (also called an open redirect). The in_hi_redirect parameter is not validated by the application after a successful login. NOTE: this CVE is assigned by MITRE and isn\u0027t validated by Oracle because Oracle WebCenter Interaction Portal is out of support.",
  "id": "GHSA-g8wr-5fx9-g2gv",
  "modified": "2022-05-14T01:48:52Z",
  "published": "2022-05-14T01:48:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16954"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2018/Sep/22"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105350"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G96R-V5QQ-9QCH

Vulnerability from github – Published: 2024-05-15 18:30 – Updated: 2024-05-15 18:30
VLAI
Details

A vulnerability in the web-based management interface of Cisco Crosswork Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.

This vulnerability is due to improper input validation of a parameter in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20369"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-15T18:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based management interface of Cisco Crosswork Network Services Orchestrator (NSO) could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.\n\n\n This vulnerability is due to improper input validation of a parameter in an HTTP request. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious website.",
  "id": "GHSA-g96r-v5qq-9qch",
  "modified": "2024-05-15T18:30:35Z",
  "published": "2024-05-15T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20369"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nso-ordir-MNM8YqzO"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G985-XXFJ-53G5

Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40
VLAI
Details

Archer before 6.8 P2 (6.8.0.2) is affected by an open redirect vulnerability. A remote privileged attacker may potentially redirect legitimate users to arbitrary web sites and conduct phishing attacks. The attacker could then steal the victims' credentials and silently authenticate them to the Archer application without the victims realizing an attack occurred.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-29537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-29T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Archer before 6.8 P2 (6.8.0.2) is affected by an open redirect vulnerability. A remote privileged attacker may potentially redirect legitimate users to arbitrary web sites and conduct phishing attacks. The attacker could then steal the victims\u0027 credentials and silently authenticate them to the Archer application without the victims realizing an attack occurred.",
  "id": "GHSA-g985-xxfj-53g5",
  "modified": "2022-05-24T17:40:34Z",
  "published": "2022-05-24T17:40:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-29537"
    },
    {
      "type": "WEB",
      "url": "https://community.rsa.com/docs/DOC-115223"
    },
    {
      "type": "WEB",
      "url": "https://www.rsa.com/en-us/company/vulnerability-response-policy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-G99X-GCM8-HCH3

Vulnerability from github – Published: 2025-01-27 21:30 – Updated: 2025-01-28 21:31
VLAI
Details

An issue in Baidu (China) Co Ltd Baidu Input Method (iOS version) v12.6.13 allows attackers to access user information via supplying a crafted link.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56953"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-27T19:15:16Z",
    "severity": "MODERATE"
  },
  "details": "An issue in Baidu (China) Co Ltd Baidu Input Method (iOS version) v12.6.13 allows attackers to access user information via supplying a crafted link.",
  "id": "GHSA-g99x-gcm8-hch3",
  "modified": "2025-01-28T21:31:02Z",
  "published": "2025-01-27T21:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56953"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ZhouZiyi1/Vuls/blob/main/241217-BaiduInput/241217-BaiduInput.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G9P5-GR7X-X74R

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2022-12-07 21:30
VLAI
Details

IBM Security Directory Server 6.4.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 165660.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4538"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-02T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Directory Server 6.4.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 165660.",
  "id": "GHSA-g9p5-gr7x-x74r",
  "modified": "2022-12-07T21:30:30Z",
  "published": "2022-05-24T16:57:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4538"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/165660"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/1077045"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • Use a list of approved URLs or domains to be used for redirection.
Mitigation
Architecture and Design

Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.

Mitigation MIT-21.2
Architecture and Design

Strategy: Enforcement by Conversion

  • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
  • For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Architecture and Design

Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).

Mitigation MIT-6
Architecture and Design Implementation

Strategy: Attack Surface Reduction

  • Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
  • Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-178: Cross-Site Flashing

An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.