CVE-2014-1985

Published Apr 11, 2014

Last updated 4 months ago

CVSS info 5.8

Overview

Description: Open redirect vulnerability in the redirect_back_or_default function in app/controllers/application_controller.rb in Redmine before 2.4.5 and 2.5.x before 2.5.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the back url (back_url parameter).
Source: vultures@jpcert.or.jp
NVD status: Modified

Risk scores

CVSS 2.0

Type: Primary
Base score: 5.8
Impact score: 4.9
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:P/I:P/A:N

Weaknesses

nvd@nist.gov: CWE-20

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:redmine:redmine:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "14A4B298-BCC4-4E4C-A538-28CD0E11F1A4",
            "versionEndIncluding": "2.4.4"
          },
          {
            "criteria": "cpe:2.3:a:redmine:redmine:2.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "86858F9B-8A3B-4667-A42B-198862F0508E"
          },
          {
            "criteria": "cpe:2.3:a:redmine:redmine:2.4.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "64B5E6E0-4824-46AE-9518-A9E17FB74E84"
          },
          {
            "criteria": "cpe:2.3:a:redmine:redmine:2.4.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1E13CFD7-1981-49C4-9990-713C811DC851"
          },
          {
            "criteria": "cpe:2.3:a:redmine:redmine:2.4.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2A120F2B-AF7F-416E-929B-C2BF573F5032"
          },
          {
            "criteria": "cpe:2.3:a:redmine:redmine:2.5.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F96EDC1C-A925-4D24-87B4-BA3AA993ABAF"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 2.0

Weaknesses

Social media

Configurations

References