cbcvebase.
CVE-2008-2052
published 2008-05-02

CVE-2008-2052: Open redirect vulnerability in redirect.php in Bitrix Site Manager 6.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing…

PriorityP264medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.57%
72.3th percentile
Open redirect vulnerability in redirect.php in Bitrix Site Manager 6.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the goto parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
bitrix24bitrix_site_manager

Detection & IOCsextracted from sources · hover to see the quote

path/bitrix/rk.php
path/bitrix/redirect.php
path/bitrix/tools/track_mail_click.php
yara
regex: '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
  • Look for HTTP 301/302 redirect responses from /bitrix/redirect.php or /bitrix/rk.php where the Location header points to an external domain supplied via the 'goto' parameter.
  • Monitor GET requests to /bitrix/redirect.php and /bitrix/rk.php containing a 'goto' parameter with an external URL, including URL-encoded bypass variants such as %252F to evade allowlist checks.
  • Shodan fingerprint for exposed Bitrix instances: search for html:"/bitrix/" to identify potentially vulnerable targets.
  • ·The Nuclei template uses 'stop-at-first-match: true' across 14 payload paths, meaning only the first successful redirect response is flagged; scanners should iterate all paths independently to avoid false negatives.
  • ·The vulnerability affects redirect.php in Bitrix Site Manager 6.5 per NVD, but the Nuclei template targets version 2.x paths — coverage may differ across product versions.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.