logo
DATABASE RESOURCES PRICING ABOUT US

fresca.calstate.edu Open Redirect vulnerability

Description

Open Bug Bounty ID: OBB-1004993 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[fresca.calstate.edu](<https://fresca.calstate.edu>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[Open Redirect](<https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet>)** / CWE-601 CVSSv3 Score:| 3.4 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **devl00p ** Remediation Guide:| **[OWASP Open Redirect Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAA3CAIAAABVZQ1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAPCklEQVR4nO2db0xT1xvHr1ChQIuipfJPBbLBYowS0nRs6f7ELEpY01SGm2FO94fosjDGGsYYW5S5RTcUszklZskS2Au2F2YxhBBCur1gpjOOdZV1DCphtpSCBFHwirUrvb8X5/e7ub977zm9Lb1Y5/N5xbk99zzf5zxPz+M9bY+rGIahAAAAAEAGEu63AAAAAOBfC9QYAAAAQC6gxgAAAAByATUGAAAAkAuoMQAAAIBcQI0BAAAA5CJ+a0xBQcGVK1dwTWDlifMQxLk8IGpgKXigidMa88cff4RCoe3bt4s2gZUnzkMQ5/KAqIGl4EEnTI1xu91qtVr0pfn5+ePHj+Oay6S7u9tkMok233333ZSUlM7OzljZkhXCBLJInLrYzjDC7XZnZGRI6YlCIMWd+0IcZgh3bm/evPnaa69lZmbm5ua+//77//zzD7oeJ1KpcJlwv9YBirgUyEfc5vkDCUPk2rVrKpVKykuEnlGg1+v7+/uFzdnZ2YSEBIfDEQwGY2VLVqRMi8Spi+0Ms2OuXbtWSk8UAjk0xIQ4zBDu3JpMpurqaq/XOzIyYjAYmpqamHiSyoTLhPu1DjD4pUBW4jbPH0Tica9samrK5XI9++yzwiZN06mpqdu3b09MTLyPCh82eBGJN+I8Q+7evWu327/++uvc3Nzi4uJTp06dP3+eikup8QZhKQAeFCTVmC+//LKgoGD9+vWvvPLK/Pw8RVHz8/P5+fk0Ta9ataqzs5PbPHXqlFqtPnHixIYNGzIyMg4cOHD37l00zq+//vrUU0+p1erc3NwXXnjhr7/+EjXX3d29c+fO1atX85o3btzgGkXPs8ePH8/MzMzOzv7mm28oirp3794bb7yhVqs3b9585MiRpaUlgt2lpaUPPvhgw4YNaWlpe/bsuXHjBur8xBNPpKSkZGZm7tmzZ3JyUqgw6huFSngziRtH2E3UUy64DpOTk7t27VKr1cXFxV1dXegib3OAt3PCi8jnn3/OC65oLO7cuXPo0KHMzMyNGzd+/PHHSMDu3btPnDiBxrly5UpycjLKKIqiDh069N577+GCRfAXlyGiAoRSpUgSRkTUZdG5TUlJmZiYSEtLQ82xsbGcnByeVNHpikIqLn+kqyUQ0TrAvkPlWApw2UWwKMwf1Lmtra2goCAjI+Pll19mJ5Oc52wH6VvNDzPhawxN0w6Hw2azXb582efzNTU1URS1Zs2akZERlUrl9/v37dvHbe7evZum6cuXLw8ODg4ODtrt9tbWVjSU0Wh89dVXPR7PxYsXDQaDUqkUtYjbgV2/fj3XKNI2MjLidDo7OjoMBgNFUUePHl1cXBwaGurr6xsYGDh37hzBbmtrq9VqtVqtLpcrJydneHiYoii73X7w4MHp6Wmn05mXl1dbWytUGPWNQiW8mcSNI+wm6ikXXIfa2tr09PTh4eHe3l4pKwsvIjRND/4PbnCFsairq/P5fHa7va+vr7u7u729Hc2A1WpFt/T09IRCob6+PtS0Wq0VFRW4YBH8xWWIqACh1LCScJEVuhx2bkdHRxsaGk6ePClMZlG1kUrF5U9EajMFUJGvA+w7VI6lADddBIui+UPT9NDQEHLK4/E0NzeztnB5DkQMeSvt2rVrFEUtLCygps1mKywsZF8S3YdFt3g8HnT9hx9+0Ol0DMPMzc0pFAq/3y+04vF48vPz0d80TatUqrm5OdEm1ygyxL6E0Gg0NE2jvx0Oh16vJ9jVarV2u53g/tjYWFZW1nJu5ArGKSFs/nIF8LoJPeXdK9ohGAwqlUpudNAuvDCa7O48NwS44ApjEQwGVSrV+Pg4anZ3d5eVlTEM4/P5UlNT0STo9XqLxVJdXY1GSE9Pn5mZwQUL5y8uQ3AChFLJkgKBgGhERF0WnVsWr9dbWFj4/fff86Ti1C5TatRqvQKiWAeYyJcC7jrAEJcCcnCFFhmx/OE5dfHiRa5TuDzHvU0AHIqwRUilUrGPhzk5OXNzc2FvUSqVGzduRH8/9thjHo+HoqiMjIyqqqqysrIdO3bk5OTodLpnnnmGHdZms6G/+/v79Xo9+wTKawq1cV+6efPm7Oxsfn4+aoZCIYVCgbM7Pz8/Nze3bds23pi///57Y2Pj8PBwIBAIhUKhUIjXIeobCTMQ0Tg4T6V0mJmZoSiKGx3h4Dx4IRANLiWIxczMTCAQKCgoYHui9212dnZRUZHNZtuyZYvP5zt8+HBRUdHS0pLVan3uuecyMzNFp4jgLy5DcAKEUsmSVq9ejYuI0GXy3FZVVdXX17/00kvCScapjVQqhc8f6Wpzc3N58txudxTrABXhUsBdByjiUkAIrqhFXP5wncrLy+M6hctzIFLC15gY8t133/32229Op9Pn81kslieffPKrr76iKCoxMTE7Oxv1Wc5XFf1+f0JCwuDgILsAJSQkEOwi07xBzGZzTU3NuXPnlEql1+stLy8XtRXdjQQlEY2D81R6B+nE/NuiFRUVVqt1fHzcaDSuWbOmpKRkYGCA3eoRnSKCOzGRR5YkMSXITE1NDQ0N/fLLL7JKjYlatDnGZXBwcJmyeYhGmbsOUDH91rJo/gQCgeW4AEiF/JhDeDaUuFd24cIF9nGVi8PhyMvL410MBoMajYZ9BOY1GcGTuHCLSaVSkXexuHa1Wq3D4eC+ivZquJ1Fn4Wl30jYB2OVcPsQBPCGCuupaAfeDsmFCxfQ+AsLCwkJCdx9A3SdFwJccIVu4nYzGIax2Wx6vd5kMvX29jIM097eXldXl5WV5fP5cFNEcAeXIYTtFGFECJKkRxY3t+yrXJ2MtL2yiKQykeQhQa3oXlmk6wAj51Igca+Ma1GYP2SnRMfBvU0AAtHXGJqmFQqFy+XiNVF4qqqqvF6v0+ksKSlpaWlhGGZ4eLi8vPynn36anZ31eDw1NTVGo5EdGW3ODgwMbN26lb3IazISasybb75ZVlaG/n3U2tp69OhRgt1jx47p9fqhoSGv11tbWzswMMAwjFarbW9vv3XrlsvlMpvNrL/c7WPpNy4sLCgUipGRkWAwiFPCm0mcAF43oac8kaIdGIYxm83c6LDj6/X6mpqa6elpl8tlMBjQdV4IcMEVjUVNTY3JZPJ4PE6ns7S09PTp0+xLWq1Wq9UitV6vNz09vaSkhJwkou6QM0RUAK7q4yThIiI6Dm5uEbxPIHgjCNVGITWGaglSpawDDD5bCFFmpyjsUoALrqhFRix/wtYY0XFE3yYAgehrDMMwLS0tqampHR0d3GZbW5tKpfrss8+0Wu3atWv379+/uLjIMEwgEGhpaSkqKkpKStJqtfv27ZuenuZZaWhoaG5uZsfnNRkJNcbv99fX1+fl5aWmplZUVIyPjxPsBoPBxsZGjUajVCrNZvPs7CzDMAMDAzqdTqlUZmVlWSwW0beo9BsZhmlqakKzRFDCnUncOLxuQk95IoUd0HWv17tz506VSlVUVHTy5El2/LGxsR07dqhUqi1btpw+fRpd54UAmWhtbeUFVzQWNE0fPHhQo9Hk5eW1tLRwf2lYXV1dVVXFNnU6HbJCmCJRd8gZIioAt3DjJElMCfLcMmKfD/NGEKqNQmqs1PKIYh3o6OhAd0lfCrhWwi4FhOAKLTIS3i/ChzNhnjOYtwlAIEyNiYLl/ES2qKjo0qVLuCaw8sR5COJc3kPOyi8F8Pv8OGRFP/MPy+joKKEJrDxxHoI4lwdEDSwF/xri8SyZ+wucHA4AABAroMb8H3ByOAAAQAyJssYQzr7evHnz7du3lyHpv8hxlH1YVubkcAB4GIjVUhDPFoGwxO9zzK1bt44dO7bCRqHGAAAAxJD4rTErD5wcDgAAEFvC15ipqannn39erVYXFBS0tbVxjzwSnn1N4Y8oZ+/iHoiNO16bd0j42bNnd+3axY7w4YcfHjhwgCtS4inuZHd4B4kDAAAAyyT8d5dra2uTkpLGxsZomq6srGSvs2dfBwIBs9nc2tp65MgRiqLq6upmZmbsdvvCwsL+/fvXrVtH3n1ij9emafr1119vbm4+e/YsOiRcp9PNzs4qFIrp6emGhobbt2+jWtXd3f3pp59yBxEaffvttynOeeYOhwOdiIdzBw1bXV0tfe4AAACAMJB/PoMONWJ/Is49Cp4SO/tayrFLwjMbcMdrc+8qKys7f/48e517LIf0U9xx7jCCg8QBAACA5RNmr2xmZiYUCnHP0GZfEj37mnDmNg7C8dpczGZzT08PRVE9PT0VFRXJyclckRJPcSe4Q/5PBAAAAIAoeGA+86+srOzt7aUoqqenh7fHFRPgG2UAAAAxJ0yN0Wq1CQkJbrcbNUdGRtiX/H7/xMQE+tvlcm3atAn1T0pK+vvvv9n++fn569atW1xcZL+37vV6oxD66KOParXaH3/88dKlS+x/lcGKFBqNyJ2lpaWenh6oMQAAALElTI1JTEw0Go319fVut/vPP/9saWnhvmqxWCYnJ9F1o9GI+u/du7e+vn5iYgJdr66uVqvVOp3OYrFcv3796tWr6H8CD4tGo/H7/VevXmWvVFZWWiwWg8GA9tbu3bvHihQajcgdm82WlZXF7qEBAAAAMSH8XtmZM2eCweDWrVuNRiN37VapVHq9vrS01GAwbNu2rbGxEV3/4osvsrKySktLy8vLTSbTW2+9RVFUV1fX+Pj4I488YjabX3zxRSnK0tLSPvroo5KSks7OTnSlsrJyaGioqqqKoii3263RaNjOokaluwMbZQAAAHKwimEY6b1HR0effvrp69evyyeIwJ07dzQajc/ni9Un86w7xcXF33777eOPPx6TYQEAAABEZGf7OxyOwsJCmaSEpb+/32AwxPCrX6w7cHI4AACAHISvMZ988klOTo7JZBofH29ubj58+PAKyBIyPz9/5syZvXv3LnOcOHEHAADgYSD8XtnPP/9cX1/vdDo3bdpUW1v7zjvvrIwyHsnJyUajsauri/vLmCiIE3cAAAAeBiL7PAYAAAAApPPA/AYTAAAAeOCAGgMAAADIBdQYAAAAQC6gxgAAAAByATUGAAAAkAuoMQAAAIBcQI0BAAAA5AJqDAAAACAXUGMAAAAAuYAaAwAAAMgF1BgAAABALqDGAAAAAHIBNQYAAACQC6gxAAAAgFxAjQEAAADk4j9l/rh5UypUWwAAAABJRU5ErkJggg==) --- **Mirror:** [Click here to view the mirror](<http://1004993.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 27 October, 2019 22:01 GMT ---|--- Vulnerability Verified:| 27 October, 2019 22:08 GMT Website Operator Notified:| 27 October, 2019 22:08 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 27 October, 2019 22:08 GMT