CVE-2024-12990

Name of the Vulnerable Software and Affected Versions ruifang-tech Rebuild version 3.8.6

Description A vulnerability was found in the Admin Verification Page of the affected software, specifically in the file /user/admin-verify. The issue is related to the manipulation of the nexturl argument, which can lead to an open redirect when an input like http://localhost/evil.html is used. This can be initiated remotely. The exploit has been publicly disclosed, and the vendor was contacted but did not respond.

Recommendations For version 3.8.6, consider restricting access to the /user/admin-verify page or disabling the nexturl argument to minimize the risk of exploitation until a patch is available. Avoid using the nexturl argument in the affected page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.