Open redirection using the return_url parameter

Low

gmazoyer published GHSA-f4mf-5g28-q7f5

Mar 12, 2024

Package

peering-manager/peering-manager (git)

Affected versions

<=1.8.2

Patched versions

1.8.3

peeringmanager/peering-manager (docker)

<=1.8.2

1.8.3

Description

Summary

In Peering Manager <=1.8.2, it is possible to redirect users to an arbitrary page using a crafted url.

Impact

Users can be redirected to an unexpected location.

Suggestions

Update to version 1.8.3

Severity

Low

3.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

High

User interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N