제출 #711729: Mayan EDMS CMS 4.10 Open Redirect
| 제목 | Mayan EDMS CMS 4.10 Open Redirect |
|---|---|
| 설명 | Mayan EDMS – Open Redirect Vulnerability Unauthenticated, Version 4.10(latest) An unauthenticated Open Redirect vulnerability was discovered in Mayan EDMS. Multiple endpoints improperly process user-controlled values from the URL fragment (#) and the next parameter without validation or sanitization. This allows an attacker to redirect victims to arbitrary external websites (e.g., phishing domains, malware pages, credential harvesters) simply by tricking them into opening a crafted link. This issue occurs due to insecure handling of window.location inside client-side JavaScript templates. Affected Endpoints The following URLs are vulnerable to Open Redirect via the hash fragment (#) and/or the next parameter, allowing attackers to specify an arbitrary external target: http://192.168.138.108/authentication/login/#https://evil.com http://192.168.138.108/authentication/password/reset/#https://evil.com http://192.168.138.108/authentication/login/?next=/search/advanced/#https://evil.com http://192.168.138.108/authentication/login/?next=/checkouts/#https://evil.com http://192.168.138.108/authentication/login/?next=/#https://evil.com http://192.168.138.108/authentication/login/?next=/home/#https://evil.com http://192.168.138.108/authentication/password/reset/done/#https://evil.com http://192.168.138.108/authentication/login/?next=/search/advanced/%3F_search_model_pk%3Ddocuments.documentsearchresult/#https://evil.com http://192.168.138.108/authentication/login/?next=/search/advanced/%3F_search_model_pk%3D/#https://evil.com All endpoints behave the same because they rely on the same vulnerable JavaScript fragment. Root Cause (Vulnerable Code) The vulnerable DOM logic is located in the primary template used for navigation handling: <script> if (typeof partialNavigation === 'undefined') { document.write('<script type="text/undefined">') const currentLocation = '#' + window.location.pathname + window.location.search; const url = new URL(currentLocation, window.location.origin) window.location = url; } </script> window.location.hash (fully attacker-controlled) is appended to the application’s navigation logic and executed without sanitization → redirect to external domain. |
| 원천 | ⚠️ https:/ |
| 사용자 | luca_irinel (UID 85391) |
| 제출 | 2025. 12. 10. AM 10:28 (4 개월 ago) |
| 모더레이션 | 2025. 12. 14. AM 11:41 (4 days later) |
| 상태 | 수락 |
| VulDB 항목 | 336410 [Mayan EDMS 까지 4.10.1 /authentication/ Redirect] |
| 포인트들 | 20 |