Open redirect in Crowd Server - CVE-2017-18109
Published: March 29, 2019 / Updated: July 17, 2020
Vulnerability identifier: #VU31132
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-18109
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Atlassian
Affected software:
Crowd Server
Crowd Server
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.
How to mitigate CVE-2017-18109
Install update from vendor's website.