Lucene search

GitHub Advisory DatabaseGHSA-V2VF-JV88-3FP5

HistoryJun 26, 2024 - 5:42 p.m.

October System module has an Open Redirect for Administrator Accounts

2024-06-2617:42:18

CWE-601

GitHub Advisory Database

github.com

open redirect

october system

administrator accounts

pagefinder schema

trusted user

patches

v3.5.15

external links

vulnerability

3.5 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.1%

JSON

Impact

This advisory affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema (october://) allowed external links, therefore allowing an open redirect outside the scope of the active host.

This vulnerability assumes a trusted user will attack another trusted user and cannot be actively exploited without access to the administration panel and interaction from the other user.

Patches

This issue has been patched in v3.5.15.

References

Credits to:

Benzetaa

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

Affected configurations

Vulners

Node

octobersystemRange<3.5.15

CPENameOperatorVersion
october/systemlt3.5.15

CPE	Name	Operator	Version
	october/system	lt	3.5.15