CVE-2022-25295

Name of the Vulnerable Software and Affected Versions gophish versions prior to 0.12.0

Description The issue exists in the next query parameter, where the application uses url.Parse(r.FormValue("next")) to extract the path and redirect the user to a relative URL. However, if the next parameter starts with multiple backslashes, the browser will redirect the user to an absolute URL, such as http://example.com. This allows for an Open Redirect attack.

Recommendations For versions prior to 0.12.0, update to version 0.12.0 or later to resolve the issue. As a temporary workaround, consider validating the next parameter to prevent redirects to absolute URLs. Restrict access to the next query parameter to minimize the risk of exploitation. Avoid using the next parameter with multiple backslashes until the issue is resolved.