Gửi #641089: Freshworks Inc freshwork v1.2.3 Open Redirect
| tiêu đề | Freshworks Inc freshwork v1.2.3 Open Redirect |
|---|---|
| Mô tả | Vulnerability Description A GET-based Open Redirect was identified in the logout functionality of Freshwork Product v1.2.3. The application’s logout endpoint accepts a post_logout_redirect_uri parameter from the query string and uses it directly to construct the destination URL after logout, without sufficient validation or sanitization. This allows an attacker to craft a malicious link that, when clicked, logs out the user and then redirects them to an attacker-controlled site. Such behavior can be abused for phishing campaigns, session termination attacks, or to trick users into trusting a malicious site. Steps to reproduce: 1. Make a GET request to below URL and define any attacker controlled domain in the post_logout_redirect_uri parameter, result will be redirected to the specified domain. https://[orgination_name].myfreshworks.com/api/v2/logout?post_logout_redirect_uri=https://evil.com |
| Nguồn | ⚠️ https:/ |
| Người dùng | kushkira (UID 60170) |
| Đệ trình | 25/08/2025 10:27 (cách đây 10 các tháng) |
| Kiểm duyệt | 10/09/2025 14:44 (16 days later) |
| Trạng thái | được chấp nhận |
| Mục VulDB | 323487 [Freshwork đến 1.2.3 /api/v2/logout post_logout_redirect_uri Redirect] |
| điểm | 20 |