CVE-2018-15178: URL Redirection to Untrusted Site ('Open Redirect')

June 29, 2021

Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.

References

github.com/advisories/GHSA-cpgw-2wxr-pww3
github.com/gogs/gogs/commit/1f247cf8139cb483276cd8dd06385a800ce9d4b2
github.com/gogs/gogs/issues/5364
github.com/gogs/gogs/pull/5365
nvd.nist.gov/vuln/detail/CVE-2018-15178

Detect and mitigate CVE-2018-15178 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →