← back
CVE-2021-21337

URL Redirection to Untrusted Site ('Open Redirect') in Products.PluggableAuthService

CVSS 5.7 MEDIUMEPSS 8.4%CWE-601
Products.PluggableAuthService is a pluggable Zope authentication and authorization framework. In Products.PluggableAuthService before version 2.6.0 there is an open redirect vulnerability. A maliciously crafted link to the login form and login functionality could redirect the browser to a different website. The problem has been fixed in version 2.6.1. Depending on how you have installed Products.PluggableAuthService, you should change the buildout version pin to `2.6.1` and re-run the buildout, or if you used `pip` simply do `pip install "Products.PluggableAuthService>=2.6.1".
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Affected products
zopefoundation · Products.PluggableAuthService
public PoCs found2
cve_referencepacketstormsecurity.com/files/162911/Products.PluggableAuthService-2.6.0-Open-Redirect.htmlunverifiedexploitdbwww.exploit-db.com/exploits/49930unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/162911/Products.PluggableAuthService-2.6.0-Open-Redirect.htmlhttps://github.com/zopefoundation/Products.PluggableAuthService/commit/7eead067898852ebd3e0f143bc51295928528dfahttps://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrrhttps://pypi.org/project/Products.PluggableAuthService/