Eventum 3.3.4 Open Redirection

Eventum 3.3.4 Open Redirection

Eventum 3.3.4 - Open Redirection
Advisory ID: RO-18-009
Severity: Eventum 3.3.4 Open Redirection

Eventum 3.3.4 - Open Redirection
Advisory ID: RO-18-009
Severity: Medium
Vendor: Eventum
Product: Eventum Issue Tracker
Version: 3.3.4


Overview #

An Open Redirection vulnerability exists in Eventum Issue Tracker version 3.3.4. The vulnerability allows remote attackers to redirect users to arbitrary external websites.


Vulnerability Details #

Affected Versions: 3.3.4 and earlier

Root Cause: Insufficient validation of redirect URLs allows attackers to redirect users to malicious websites.


Exploitation Requirements #

No authentication required
Victim must click a crafted link

Impact #

Remote attackers can exploit this vulnerability to:

Redirect users to phishing sites
Steal user credentials via fake login pages
Distribute malware

Proof of Concept #

Details available upon request.


Solution #

Upgrade to a patched version of Eventum that includes proper URL validation.


References #

Vendor notification sent

Timeline:

[2018-01-01] - Discovered

Credits: Omar Kurt