Lucene search

@huntr_aiVULNRICHMENT:CVE-2024-4940

HistoryJun 22, 2024 - 5:23 a.m.

CVE-2024-4940 Open Redirect in gradio-app/gradio

2024-06-2205:23:49

CWE-601

@huntr_ai

github.com

open redirect

gradio-app

latest version

arbitrary websites

phishing attacks

xss

ssrf

improper validation

user-supplied urls

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

AI Score

6.5

Confidence

High

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others. This issue is due to improper validation of user-supplied input in the handling of URLs. Attackers can exploit this vulnerability by crafting a malicious URL that, when processed by the application, redirects the user to an attacker-controlled web page.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:gradio_project:gradio:4.36.0:*:*:*:*:*:*:*"
    ],
    "vendor": "gradio_project",
    "product": "gradio",
    "versions": [
      {
        "status": "affected",
        "version": "4.36.0"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

huntr.com/bounties/35aaea93-6895-4f03-9c1b-cd992665aa60

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

AI Score

6.5

Confidence

High

SSVC

Exploitation

poc

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-4940