CVE-2024-41810

Name of the Vulnerable Software and Affected Versions Twisted versions prior to 24.7.0rc1

Description The twisted.web.util.redirectTo function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL, this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. The function reflects the destination URL in the HTML body without any output encoding, allowing an attacker to inject arbitrary HTML into the response's body, ultimately leading to an XSS attack. This issue can be exploited in Firefox, allowing malicious JavaScript to run in the context of the victim's session, leading to unauthorized access or modification of the victim's account and information.

Recommendations For Twisted versions prior to 24.7.0rc1, update to version 24.7.0rc1 or later to fix the vulnerability. As a temporary workaround, consider restricting the use of the redirectTo function to minimize the risk of exploitation. Avoid using the redirectTo function with untrusted or user-controlled URLs until the issue is resolved.