CIVI-SA-2015-007: Open redirect in post-form display

Pubblicato
2015-08-19 05:09
Written by

The contribution page's return URL could be used to redirect site visitors to another URL.

For more information about this type of attack, see OWASP's reference page on open redirects.

Security Risk
Moderately Critical
Vulnerability
Open Redirect
Affected Versions
  • CiviCRM before v4.6.6
  • CiviCRM LTS before v4.4.18
Fixed Versions
  • CiviCRM v4.6.7
  • CiviCRM LTS v4.4.19
Solutions
Either:
  • Upgrade to a fixed release of CiviCRM, or
  • Patch with https://github.com/eileenmcnaughton/civicrm-core/commit/6ef7bd91a684e23c5d8c601b2a5060f0176a6d7b
Credits

Thanks to Rob Brandt for reporting this issue.