Invia #845900: kirilkirkov Ecommerce-CodeIgniter-Bootstrap master Open Redirect / URI Injectioninformazioni

Titolokirilkirkov Ecommerce-CodeIgniter-Bootstrap master Open Redirect / URI Injection
Descrizione## Description Ecommerce-CodeIgniter-Bootstrap contains a stored administrator-side URI injection issue in the order management flow. An unauthenticated attacker can send a malicious `Referer` header while placing an order. The application stores this value in the session, persists it into `orders.referrer`, and later renders it in the administrator orders page as both link text and an `href` value without output encoding or URI scheme validation. An administrator who reviews the affected order sees a clickable attacker-controlled URL in the trusted backend interface. This can be used for administrator-facing phishing, redirection to an untrusted site, or other social-engineering attacks against backend users. ## Technical Details - Affected component: `application/core/MY_Controller.php`, `application/controllers/Checkout.php`, `application/models/Public_model.php`, `application/modules/admin/views/ecommerce/orders.php` - Trigger path: `/index.php/checkout` - Admin sink: `/index.php/admin/orders` - Weakness: `CWE-74`, `CWE-601` - CVSS v3.1: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N` - Severity: `Moderate` - Published: `2026-05-20` - Patched version / fix commit: `213babdbaa949e94557246414db0130e01394517` - GitHub Security Advisory: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/security/advisories/GHSA-x9pg-hvpj-9q44 - Vendor fix: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/commit/213babdbaa949e94557246414db0130e01394517
Fonte⚠️ https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/security/advisories/GHSA-x9pg-hvpj-9q44
Utente
 Anonymous User
Sottomissione02/06/2026 10:03 (1 mese fa)
Moderazione03/07/2026 19:24 (1 month later)
StatoAccettato
Voce VulDB376147 [kirilkirkov Ecommerce-CodeIgniter-Bootstrap fino a 95dfa8cebbb87ab46ae450643a07241274a74dce Trusted Backend Interface MY_Controller.php setReferrer href Redirect]
Punti20

Interested in the pricing of exploits?

See the underground prices here!