CVE-2024-53995

GHSL-2024-288: SickChill open redirect in login

CVSS 1.9 LOWEPSS 0.9%CWE-601

Vexday Risk Score

23Bajo

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS 1.9EPSS 0.9%KEV nãoPoC —Nuclei simMetasploit —Patch —

Ciclo de vida

08 ene 2025Publicada en NVD

Recomendación: Planificar corrección próxima — ya existe PoC pública.

SickChill is an automatic video library manager for TV shows. A user-controlled `login` endpoint's `next_` parameter takes arbitrary content. Prior to commit c7128a8946c3701df95c285810eb75b2de18bf82, an authenticated attacker may use this to redirect the user to arbitrary destinations, leading to open redirect. Commit c7128a8946c3701df95c285810eb75b2de18bf82 changes the login page to redirect to `settings.DEFAULT_PAGE` instead of to the `next` parameter.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:P

Productos afectados

SickChill · sickchill

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/SickChill/sickchill/blob/846adafdfab579281353ea08a27bbb813f9a9872/sickchill/views/authentication.py#L33 https://github.com/SickChill/sickchill/commit/c7128a8946c3701df95c285810eb75b2de18bf82 https://github.com/SickChill/sickchill/pull/8811 https://securitylab.github.com/advisories/GHSL-2024-283_GHSL-2024-291_sickchill_sickchill/