Main Vulnerability Database Vulnerabilities #VU31132

#VU31132 Open redirect in Crowd Server - CVE-2017-18109

Published: March 29, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU31132

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-18109

CWE-ID: CWE-601

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Crowd Server

Software vendor:
Atlassian

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The login resource of CrowdId in Atlassian Crowd before version 3.0.2 and from version 3.1.0 before version 3.1.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect.

Remediation

Install update from vendor's website.

External links

https://jira.atlassian.com/browse/CWD-5071