github.com/gogs/gogs is vulnerable to open redirection attacks. The isValidRedirect
function in routes/user/auth.go
does not validate the initial /\\
substring in the URL, which allows remote attackers to redirect users to malicious websites and perform phishing attacks via the redirect_to
parameter in user/login
.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/gogs/gogs | eq | HEAD |