Lucene search

K

GoogleOSV:GHSA-VG27-HR3V-3CQV

HistoryFeb 16, 2022 - 11:02 p.m.

open redirect in pollbot

2022-02-1623:02:09

Google

osv.dev

10

0.001 Low

EPSS

Percentile

27.3%

(From https://bugzilla.mozilla.org/show_bug.cgi?id=1753838)

Summary:
There was an open redirection vulnerability in the path of:

https://pollbot.services.mozilla.com/ and https://pollbot.stage.mozaws.net/

Description:
An attacker can redirect anyone to malicious sites.

Steps To Reproduce:
Type in this URL:

https://pollbot.services.mozilla.com/ /evil.com/

It redirects to that website

evil.com was used as an example but this could be any website. Note, the /%0a/ and trailing / are required.

Supporting Material/References:
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

Impact

Attackers can serve malicious websites that steal passwords or download ransomware to their victims machine due to a redirect and there are a heap of other attack vectors.

CPENameOperatorVersion
pollboteq1.1.2
pollboteq0.2.0
pollboteq0.6.1
pollboteq0.1.0
pollboteq0.6.0
pollboteq1.0.0
pollboteq1.1.0
pollboteq0.2.1
pollboteq0.3.0
pollboteq1.1.1

Rows per page:

1-10 of 141

References

bugzilla.mozilla.org/show_bug.cgi?id=1753838

bugzilla.mozilla.org/show_bug.cgi?id=CVE-2022-0637

github.com/mozilla/PollBot

github.com/mozilla/PollBot/commit/e39d8bec2df582ba525bb2e2f33c3ebc584d7ff8

github.com/mozilla/PollBot/pull/360

github.com/mozilla/PollBot/security/advisories/GHSA-vg27-hr3v-3cqv

nvd.nist.gov/vuln/detail/CVE-2022-0637

0.001 Low

EPSS

Percentile

27.3%

Related for OSV:GHSA-VG27-HR3V-3CQV

cvelist1 nvd1 github1 veracode1 osv1 cve1 cnvd1 prion1