CVE-2022-25295

This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parse(r.FormValue("next")) to extract path and eventually redirect user to a relative URL, but if next parameter starts with multiple backslashes like \\\\\\example.com, browser will redirect user to http://example.com.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:getgophish:gophish:*:*:*:*:*:*:*:*

History

15 Sep 2022, 03:41

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4
CWE CWE-601
CPE cpe:2.3:a:getgophish:gophish:*:*:*:*:*:*:*:*
First Time Getgophish gophish
Getgophish
References (MISC) https://github.com/gophish/gophish/pull/2262 - (MISC) https://github.com/gophish/gophish/pull/2262 - Patch, Third Party Advisory
References (MISC) https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOPHISHGOPHISH-2404177 - (MISC) https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGOPHISHGOPHISH-2404177 - Exploit, Third Party Advisory

11 Sep 2022, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-09-11 14:15

Updated : 2023-12-10 14:35


NVD link : CVE-2022-25295

Mitre link : CVE-2022-25295

CVE.ORG link : CVE-2022-25295


JSON object : View

Products Affected

getgophish

  • gophish
CWE
CWE-601

URL Redirection to Untrusted Site ('Open Redirect')