CVE-2017-1000163
published 2017-11-17CVE-2017-1000163: The Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 are vulnerable to unvalidated URL redirection, which may…
PriorityP335medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
2.06%
78.9th percentile
The Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 are vulnerable to unvalidated URL redirection, which may result in phishing or social engineering attacks.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | — | — |
| phoenixframework | phoenix | >= 0 < 1.0.6 | 1.0.6 |
| phoenixframework | phoenix | >= 1.1.0 < 1.1.8 | 1.1.8 |
| phoenixframework | phoenix | >= 1.2.0 < 1.2.3 | 1.2.3 |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Phoenix Arbitrary URL Redirect
osv·2022-04-12
CVE-2017-1000163 [MEDIUM] Phoenix Arbitrary URL Redirect
Phoenix Arbitrary URL Redirect
The Phoenix team designed `Phoenix.Controller.redirect/2` to protect against redirects allowing user input to redirect to an external URL where your application code otherwise assumes a local path redirect. This is why the `:to` option is used for “local” URL redirects and why you must pass the `:external` option to intentionally allow external URLs to be redirected to. It has been disclosed that carefully crafted user input may be treated by some browsers as an external URL. An attacker can use this vulnerability to aid in social engineering attacks. The most common use would be to create highly believable phishing attacks. For example, the following user input would pass local URL validation, but be treated by Chrome and Firefox as external URLs:
`http://l
GHSA
Phoenix Arbitrary URL Redirect
ghsa·2022-04-12
CVE-2017-1000163 [MEDIUM] CWE-601 Phoenix Arbitrary URL Redirect
Phoenix Arbitrary URL Redirect
The Phoenix team designed `Phoenix.Controller.redirect/2` to protect against redirects allowing user input to redirect to an external URL where your application code otherwise assumes a local path redirect. This is why the `:to` option is used for “local” URL redirects and why you must pass the `:external` option to intentionally allow external URLs to be redirected to. It has been disclosed that carefully crafted user input may be treated by some browsers as an external URL. An attacker can use this vulnerability to aid in social engineering attacks. The most common use would be to create highly believable phishing attacks. For example, the following user input would pass local URL validation, but be treated by Chrome and Firefox as external URLs:
`http://l
No detection rules found.
Nuclei
Phoenix Framework - Open Redirect
nuclei·CVSS 6.1
CVE-2017-1000163 [MEDIUM] Phoenix Framework - Open Redirect
Phoenix Framework - Open Redirect
Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 contain an open redirect vulnerability, which may result in phishing or social engineering attacks.
Template:
id: CVE-2017-1000163
info:
name: Phoenix Framework - Open Redirect
author: 0x_Akoko
severity: medium
description: Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1.6, 1.2.0, 1.2.2 and 1.3.0-rc.0 contain an open redirect vulnerability, which may result in phishing or social engineering attacks.
impact: |
An attacker can craft a malicious URL that redirects users to a malicious website, leading to potential phishing attacks.
remediation: |
Apply the latest security patches or upgrade to a patched version of the Phoenix Framework.
refer
No writeups or analysis indexed.
2017-11-17
Published