Open Redirect in openwhyd/openwhyd

Valid

Reported on

Dec 13th 2021


Description

openwhyd is vulnerable to Open Redirect vulnerability via the redirect parameter at login page.

Vulnerable parameter

redirect

Vulnerable URL

https://openwhyd.org/login?redirect=https://google.com

Proof of Concept

Send users the following login link https://openwhyd.org/login?redirect=https://google.com
After users use their registered account to log in, they will be redirected to google.com

Impact

This functionality is not restricted to relative URLs within the application and could be leveraged by an attacker to fool an end-user into believing that a malicious URL they were redirected to is valid. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

We are processing your report and will contact the openwhyd team within 24 hours. a year ago
KhanhCM modified the report
a year ago
We have contacted a member of the openwhyd team and are waiting to hear back a year ago
We have sent a follow up to the openwhyd team. We will try again in 7 days. a year ago
Adrien Joly validated this vulnerability a year ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adrien Joly marked this as fixed in 1.45.12 with commit 102a97 a year ago
Adrien Joly has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation