PT-2022-20480 · Unknown · Open Forms
Sergei-Maertens
·
Published
2022-06-13
·
Updated
2022-06-21
·
CVE-2022-31040
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Open Forms versions prior to 1.0.9 and 1.1.1
Description
The cookie consent page in Open Forms contains an open redirect by injecting a
referer querystring parameter and failing to validate the value. A malicious actor is able to redirect users to a website under their control, opening them up for phishing attacks. The redirect is initiated by the Open Forms backend, which is a legitimate page, making it less obvious to end users they are being redirected to a malicious website.Recommendations
For versions prior to 1.0.9, update to version 1.0.9 or later to resolve the issue.
For versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue.
Exploit
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Open Forms