CVE-2022-25799 - OpenCVE

An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user's browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user's credentials.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Cert	Vince

Configuration 1 [-]

cpe:2.3:a:cert:vince:*:*:*:*:*:*:*:*

References

Link	Resource
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html	Exploit Third Party Advisory
https://github.com/CERTCC/VINCE/issues/45	Issue Tracking Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: certcc

Published: 2022-10-05T00:00:00

Updated: 2022-10-06T00:00:00

Reserved: 2022-02-22T00:00:00

Link: CVE-2022-25799

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-16T22:15:08.147

Modified: 2022-11-16T17:03:05.597

Link: CVE-2022-25799

JSON object: View

Redhat Information

No data.

CWE

CWE-601

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cert:vince:*:*:*:*:*:*:*:*", "matchCriteriaId": "996A047E-B6BD-4CA2-AFFE-25FD35000D66", "versionEndExcluding": "1.50.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An open redirect vulnerability exists in CERT/CC VINCE software prior to 1.50.0. An attacker could send a link that has a specially crafted URL and convince the user to click the link. When an authenticated user clicks the link, the authenticated user's browser could be redirected to a malicious site that is designed to impersonate a legitimate website. The attacker could trick the user and potentially acquire sensitive information such as the user's credentials."}, {"lang": "es", "value": "Existe una vulnerabilidad de redirecci\u00f3n abierta en el software CERT/CC VINCE anterior a la versi\u00f3n 1.50.0. Un atacante podr\u00eda enviar un enlace con una URL especialmente dise\u00f1ada y convencer al usuario de que haga clic en el enlace. Cuando un usuario autenticado hace clic en el enlace, el navegador del usuario autenticado podr\u00eda ser redirigido a un sitio malicioso que est\u00e1 dise\u00f1ado para hacerse pasar por un sitio web leg\u00edtimo. El atacante podr\u00eda enga\u00f1ar al usuario y potencialmente adquirir informaci\u00f3n sensible como las credenciales del usuario"}], "id": "CVE-2022-25799", "lastModified": "2022-11-16T17:03:05.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-16T22:15:08.147", "references": [{"source": "cret@cert.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"}, {"source": "cret@cert.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/CERTCC/VINCE/issues/45"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-601"}], "source": "cret@cert.org", "type": "Secondary"}]}