CVE-2023-6380
published 2023-12-13CVE-2023-6380: Open redirect vulnerability has been found in the Open CMS product affecting versions 14 and 15 of the 'Mercury' template. An attacker could create a specially…
PriorityP338medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.59%
72.7th percentile
Open redirect vulnerability has been found in the Open CMS product affecting versions 14 and 15 of the 'Mercury' template. An attacker could create a specially crafted URL and send it to a specific user to redirect them to a malicious site and compromise them. Exploitation of this vulnerability is possible due to the fact that there is no proper sanitization of the 'URI' parameter.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alkacon | open_cms | — | — |
| alkacon | open_cms | — | — |
| alkacon | opencms | >= 14.0.0 < 16.0.0 | 16.0.0 |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
OpenCms 14 & 15 - Open Redirect
nuclei·CVSS 6.1
CVE-2023-6380 [MEDIUM] OpenCms 14 & 15 - Open Redirect
OpenCms 14 & 15 - Open Redirect
Open redirect vulnerability has been found in the Open CMS product affecting versions 14 and 15 of the 'Mercury' template
Template:
id: CVE-2023-6380
info:
name: OpenCms 14 & 15 - Open Redirect
author: MiguelSegoviaGil
severity: medium
description: |
Open redirect vulnerability has been found in the Open CMS product affecting versions 14 and 15 of the 'Mercury' template
impact: |
Unauthenticated attackers can redirect users to malicious external sites via the uri parameter, potentially facilitating phishing attacks or malware distribution.
remediation: |
Update OpenCMS to version 16 or later.
reference:
- https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-alkacon-software-opencms
- https://github.com/fkie-cad/nvd-json-data-feeds
2023-12-13
Published