Sergei-Maertens

**Name of the Vulnerable Software and Affected Versions** Open Forms versions prior to 2.2.9 Open Forms versions prior to 2.3.7 Open Forms versions prior to 2.4.5 Open Forms versions prior to 2.5.2 **Description** Open Forms allows users to create and publish smart forms. The software contains a non-exploitable multi-factor authentication weakness. If an attacker manages to authenticate to Open Forms and compromises a superuser's credentials (username + password), they could potentially bypass the second-factor authentication. This could allow the attacker to view potentially sensitive submission data or impersonate other staff accounts to view and/or modify data. There are mitigating factors, including the usual login page at "/admin/login/" requiring the second factor to be successfully provided, a misconfigured non-MFA protected login page at "/api/v2/api-authlogin/" that cannot be used to log in, and no additional ways to log in. The maintainers of Open Forms do not believe it is or has been possible to perform this login. **Recommendations** For versions prior to 2.2.9, update to version 2.2.9 or later. For versions prior to 2.3.7, update to version 2.3.7 or later. For versions prior to 2.4.5, update to version 2.4.5 or later. For versions prior to 2.5.2, update to version 2.5.2 or later. As a temporary workaround, consider restricting access to the API auth endpoints (`/api/v2/api-auth/login/`) and apply a custom permission check to the hijack flow to only allow second-factor-verified superusers to perform user hijacking.

**Name of the Vulnerable Software and Affected Versions** Open Forms versions prior to 1.0.9 and 1.1.1 **Description** The cookie consent page in Open Forms contains an open redirect by injecting a `referer` querystring parameter and failing to validate the value. A malicious actor is able to redirect users to a website under their control, opening them up for phishing attacks. The redirect is initiated by the Open Forms backend, which is a legitimate page, making it less obvious to end users they are being redirected to a malicious website. **Recommendations** For versions prior to 1.0.9, update to version 1.0.9 or later to resolve the issue. For versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Open Forms versions prior to 1.0.9 Open Forms versions prior to 1.1.1 **Description** Open Forms is an application for creating and publishing smart forms, supporting file uploads with configurable allowed file extensions. The input validation of uploaded files is insufficient, allowing users to alter or strip file extensions and bypass validation. This results in files being uploaded to the server with different file types than indicated by the file name extension, potentially leading to malicious files entering internal networks. **Recommendations** For versions prior to 1.0.9, update to version 1.0.9 or later to resolve the issue. For versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue. As a temporary workaround, consider using an API gateway or intrusion detection solution in front of Open Forms to scan for and block malicious content before it reaches the application.

**Name of the Vulnerable Software and Affected Versions** Open Zaak versions prior to 1.3.3 **Description** Open Zaak is a modern, open-source data- and services-layer to enable zaakgericht werken, a Dutch approach to case management. The Cross-Origin-Resource-Sharing policy in Open Zaak is currently wide open, allowing every client to perform AJAX calls to known Open Zaak installations without being blocked by the browser. This was intended to only apply to development machines running on localhost/127.0.0.1. However, the vulnerability does not seem exploitable due to several reasons: - The session cookie has a `Same-Site: Lax` policy, preventing it from being sent along in Cross-Origin requests. - All pages that give access to production data are login-protected. - `Access-Control-Allow-Credentials` is set to `false`. - CSRF checks probably block the remote origin, since they are not explicitly added to the trusted allowlist. **Recommendations** For Open Zaak versions prior to 1.3.3, update to version 1.3.3 or later, which disables CORS by default. If necessary, CORS can be opted-in through environment variables in version 1.3.3 and later.