CVE-2024-27291
published 2024-03-21CVE-2024-27291: Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, it is possible to create a URL that acts as an open redirect. The…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.41%
32.8th percentile
Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, it is possible to create a URL that acts as an open redirect. The vulnerability has been patched in version 1.4.97 of the master branch.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jhpyle | docassemble | < 1.4.97 | 1.4.97 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Docassemble open redirect
osv·2024-02-29
CVE-2024-27291 [MEDIUM] Docassemble open redirect
Docassemble open redirect
### Impact
It is possible to create a URL that acts as an open redirect.
### Patches
The vulnerability has been patched in version 1.4.97 of the master branch. The Docker image on docker.io has been patched.
### Workarounds
If upgrading is not possible, manually apply the changes of [4801ac7](https://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aa) and restart the server (e.g., by pressing Save on the Configuration screen).
### Credit
The vulnerability was discovered by Riyush Ghimire (@richighimi).
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [docassemble](https://github.com/jhpyle/docassemble/issues)
* Join the [Slack channel](https://join.slack.com/t/docassemble/share
GHSA
Docassemble open redirect
ghsa·2024-02-29
CVE-2024-27291 [MEDIUM] CWE-601 Docassemble open redirect
Docassemble open redirect
### Impact
It is possible to create a URL that acts as an open redirect.
### Patches
The vulnerability has been patched in version 1.4.97 of the master branch. The Docker image on docker.io has been patched.
### Workarounds
If upgrading is not possible, manually apply the changes of [4801ac7](https://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aa) and restart the server (e.g., by pressing Save on the Configuration screen).
### Credit
The vulnerability was discovered by Riyush Ghimire (@richighimi).
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [docassemble](https://github.com/jhpyle/docassemble/issues)
* Join the [Slack channel](https://join.slack.com/t/docassemble/share
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aahttps://github.com/jhpyle/docassemble/security/advisories/GHSA-7wxf-r2qv-9xwrhttps://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aahttps://github.com/jhpyle/docassemble/security/advisories/GHSA-7wxf-r2qv-9xwr
2024-03-21
Published