You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thank you for your contribution to the open source community
Summary:
I was able to find an Open Redirect vulnerability providing different domain in the "next" parameter that is used in the login process.
Open Redirect Description and Impact:
An Open Redirect issue occurs when a web application redirects users to external URLs without proper validation. This can lead to phishing attacks, where users are tricked into visiting malicious sites, potentially leading to information theft and reputational damage to the website used for redirection.
Dear Team,
Thank you for your contribution to the open source community
Summary:
I was able to find an Open Redirect vulnerability providing different domain in the "next" parameter that is used in the login process.
Open Redirect Description and Impact:
An Open Redirect issue occurs when a web application redirects users to external URLs without proper validation. This can lead to phishing attacks, where users are tricked into visiting malicious sites, potentially leading to information theft and reputational damage to the website used for redirection.
Vulnerable Code:
NewsBlur/apps/reader/views.py
Lines 203 to 205 in 1f74f1a
Here if the "next" parameter was any of the following:
?next=https://www.google.com
?next=//google.com
Recommended Solution:
To remediate this use: url_has_allowed_host_and_scheme method provided by django.utils.http
The code should look like this:
Thank you for your attention to this matter. I look forward to your response and am ready to assist in any way necessary to resolve this issue.
Regards,
Cainor
The text was updated successfully, but these errors were encountered: