PT-2018-12926 · Gogs · Gogs
Chromium1337
·
Publicado
2018-08-08
·
Atualizado
2024-08-21
·
CVE-2018-15178
CVSS v3.1
6.1
Média
| Vetor | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Gogs versions prior to 0.12
Description
The issue allows remote attackers to redirect users to arbitrary websites, potentially leading to phishing attacks. This is achieved via an initial
/ substring in the redirect to parameter. The isValidRedirect function in routes/user/auth.go is related to this issue.Recommendations
For versions prior to 0.12, consider restricting access to the
redirect to parameter in the user/login endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the redirect to parameter with initial / substrings until a patch is available.Exploit
Correção
Open Redirect
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Gogs