Open Forms is an application for creating and publishing smart forms. Prior to versions 1.0.9 and 1.1.1, the cookie consent page in Open Forms contains an open redirect by injecting a `referer` querystring parameter and failing to validate the value. A malicious actor is able to redirect users to a website under their control, opening them up for phishing attacks. The redirect is initiated by the open forms backend which is a legimate page, making it less obvious to end users they are being redirected to a malicious website. Versions 1.0.9 and 1.1.1 contain patches for this issue. There are no known workarounds avaialble.
References
Link | Resource |
---|---|
https://github.com/open-formulieren/open-forms/commit/3e8c9cce386e548765783354694fbb9d7a6ea7d3 | Patch Third Party Advisory |
https://github.com/open-formulieren/open-forms/security/advisories/GHSA-c97h-m5qf-j8mf | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-06-13T12:10:10
Updated: 2022-06-13T12:10:10
Reserved: 2022-05-18T00:00:00
Link: CVE-2022-31040
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-06-13T12:15:08.360
Modified: 2022-06-21T14:16:44.243
Link: CVE-2022-31040
JSON object: View
Redhat Information
No data.
CWE