CVE-2021-24288
published 2021-05-17CVE-2021-24288: When subscribing using AcyMailing, the 'redirect' parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link…
PriorityP338medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.94%
77.6th percentile
When subscribing using AcyMailing, the 'redirect' parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| acymailing | acymailing | < 7.5.0 | 7.5.0 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress AcyMailing <7.5.0 - Open Redirect
nuclei·CVSS 6.1
CVE-2021-24288 [MEDIUM] WordPress AcyMailing <7.5.0 - Open Redirect
WordPress AcyMailing <7.5.0 - Open Redirect
WordPress AcyMailing plugin before 7.5.0 contains an open redirect vulnerability due to improper sanitization of the redirect parameter. An attacker turning the request from POST to GET can craft a link containing a potentially malicious landing page and send it to the user.
Template:
id: CVE-2021-24288
info:
name: WordPress AcyMailing <7.5.0 - Open Redirect
author: 0x_Akoko
severity: medium
description: WordPress AcyMailing plugin before 7.5.0 contains an open redirect vulnerability due to improper sanitization of the redirect parameter. An attacker turning the request from POST to GET can craft a link containing a potentially malicious landing page and send it to the user.
impact: |
An attacker can exploit this vulnerability to redirect use
2021-05-17
Published