PT-2018-18729 · Open Audit · Open-Audit Professional

Nilesh Sapariya

Published

2018-03-26

Updated

2018-04-20

CVE-2018-8937

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Open-AudIT Professional version 2.1

Description An issue allows injecting a malicious payload in the redirect url parameter to the "/login" URI, triggering an open redirect. A "data:text/html;base64," payload can be used with JavaScript code.

Recommendations For Open-AudIT Professional version 2.1, consider restricting access to the /login URI or validating the redirect url parameter to prevent malicious injections until a patch is available. As a temporary workaround, avoid using the redirect url parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

CVE-2018-8937

Affected Products

Open-Audit Professional

PT-2018-18729 · Open Audit · Open-Audit Professional

CVE-2018-8937

Weakness Enumeration

Related Identifiers

Affected Products

References · 3