WEB APPLICATION VULNERABILITIES Standard & Premium

Ruby on Rails URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2023-22797)

Description

An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability.

Remediation

References

Related Vulnerabilities

WordPress Plugin Clockwork SMS Notfications Cross-Site Scripting (2.0.3)

PostgreSQL Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-0061)

Jenkins CVE-2014-2063 Vulnerability (CVE-2014-2063)

MediaWiki Improper Neutralization of Special Elements used in a Command ('Command Injection') Vulnerability (CVE-2014-9277)

Squid Other Vulnerability (CVE-2011-3205)

Severity

Medium

Classification

CVE-2023-22797 CWE-601 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Tags

Missing Update Known Vulnerabilities