CVE-2023-0748

Name of the Vulnerable Software and Affected Versions BTCPay Server versions prior to 1.7.6

Description The issue is related to an open redirect vulnerability in the BTCPay Server automated billing system, specifically with the handling of the returnUrl parameter. This could allow a remote attacker to conduct phishing attacks using a specially crafted malicious link. The vulnerability may be exploited to redirect users to unintended locations, potentially leading to security breaches.

Recommendations For versions prior to 1.7.6, update to version 1.7.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the returnUrl parameter to minimize the risk of exploitation.