CVE-2019-16393: URL Redirection to Untrusted Site (Open Redirect)

September 17, 2019 (updated September 25, 2019)

SPIP mishandles redirect URLs in ecrire/inc/headers.php with a %0D, %0A, or %20 character.

References

blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-2-5-et-SPIP-3-1-11.html
core.spip.net/issues/4362
git.spip.net/SPIP/spip/commit/0b832408b0aabd5b94a81e261e9413c0f31a19f1
nvd.nist.gov/vuln/detail/CVE-2019-16393

Code Behaviors & Features

Detect and mitigate CVE-2019-16393 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →