A flaw was found in mod_auth_mellon where it does not sanitize logout URLs properly. This issue could be used by an attacker to facilitate phishing attacks by tricking users into visiting a trusted web application URL that redirects to an external and potentially malicious server. The highest threat from this liability is to confidentiality and integrity.

🗓️ 27 Aug 2022 07:00:00Reported by MicrosoftType

mscve

mscve🔗 msrc.microsoft.com👁 1 Views

The mod_auth_mellon logout address sanitization flaw enables phishing via redirects to malicious servers.

Reporter	Title	Published	Views	Family All 71
Tenable Nessus	Amazon Linux 2 : mod_auth_mellon (ALAS-2023-2077)	8 Jun 202300:00	–	nessus
Tenable Nessus	Amazon Linux AMI : mod24_auth_mellon (ALAS-2023-1765)	9 Jun 202300:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0149: mod_auth_mellon (ALINUX3-SA-2023:0149)	14 May 202500:00	–	nessus
Tenable Nessus	AlmaLinux 8 : mod_auth_mellon (ALSA-2022:1934)	12 May 202200:00	–	nessus
Tenable Nessus	CentOS 8 : mod_auth_mellon (CESA-2022:1934)	10 May 202200:00	–	nessus
Tenable Nessus	CentOS 9 : mod_auth_mellon-0.17.0-6.el9	29 Feb 202400:00	–	nessus
Tenable Nessus	Debian dla-3359 : libapache2-mod-auth-mellon - security update	12 Mar 202300:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP5 : mod_auth_mellon (EulerOS-SA-2021-2511)	27 Sep 202100:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP3 : mod_auth_mellon (EulerOS-SA-2021-2597)	25 Oct 202100:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP8 : mod_auth_mellon (EulerOS-SA-2022-1354)	28 Mar 202200:00	–	nessus

Vulners

Node

microsoft cbl2_mod_auth_mellon_0.16.0-4Range<0.16.0-4

27 Aug 2022 07:00Current

6.2Medium risk

Vulners AI Score6.2

CVSS 3.16.1

EPSS0.00195

mod_auth_mellon logout address sanitization phishing external redirects